Platform
php
Component
admidio
Fixed in
5.0.9
CVE-2026-34383 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Admidio, an open-source user management solution. This flaw allows an authenticated user to bypass CSRF token validation and server-side form validation within the inventory module's item_save endpoint. The vulnerability impacts versions of Admidio prior to 5.0.8 and can lead to unauthorized modification of inventory item data. A patch is available in version 5.0.8.
An attacker exploiting this CSRF vulnerability can trick an authenticated Admidio user into unknowingly submitting a malicious POST request to the item_save endpoint. By setting the imported parameter to true, the attacker bypasses both CSRF token validation and server-side form validation. This enables them to save arbitrary inventory item data without any checks, potentially leading to data corruption, unauthorized access, or even privilege escalation depending on the nature of the inventory data. The impact is amplified if the inventory data contains sensitive information or is used to configure critical system settings. While requiring authentication, the ease of crafting the malicious request makes this a concerning vulnerability.
This vulnerability was publicly disclosed on 2026-03-31. There are currently no known public proof-of-concept exploits available, but the ease of exploitation suggests a potential for rapid development of such tools. The vulnerability is not currently listed on the CISA KEV catalog. The relatively low CVSS score (4.3) reflects the requirement for user authentication, but the potential impact warrants prompt remediation.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34383 is to immediately upgrade Admidio to version 5.0.8 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct WAF rule targeting the itemsave endpoint is difficult without knowing the specific data being manipulated, implementing stricter input validation on the server-side can help reduce the attack surface. Review and restrict access to the inventory module to only authorized personnel. Monitor Admidio logs for suspicious POST requests to the itemsave endpoint, particularly those originating from unexpected sources. After upgrading, confirm the fix by attempting to submit a POST request with the imported=true parameter and verifying that the request is rejected.
Update Admidio to version 5.0.8 or higher. This version fixes the CSRF vulnerability and form validation bypass in the inventory module. The update ensures that requests are protected against CSRF attacks and that inventory data is validated correctly.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34383 is a Cross-Site Request Forgery (CSRF) vulnerability in Admidio versions prior to 5.0.8, allowing authenticated users to bypass validation and modify inventory data.
You are affected if you are running Admidio version 5.0.8 or earlier. Immediately check your version and upgrade if necessary.
Upgrade Admidio to version 5.0.8 or later. Consider temporary workarounds like stricter input validation if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the ease of exploitation suggests a potential for future attacks.
Refer to the official Admidio security advisory on their website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.