Description
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Published: 2026-02-09
Score: 7.5 High
EPSS: 4.5% Low
KEV: No
Impact: Denial of Service (Unauthenticated Persistent DoS)
Action: Apply Patch
AI Analysis

Impact

Adminer v5.4.1 and earlier lack origin validation on the ?script=version endpoint. An attacker can submit a POST request containing a 'version[]' parameter, which PHP interprets as an array. When openssl_verify() later receives this array instead of a string, it raises a TypeError and triggers an HTTP 500 response for all users. This results in a persistent, unauthenticated denial of service, compromising availability without affecting confidentiality or integrity.

Affected Systems

The vulnerability affects Adminer versions 5.4.1 and earlier, developed by vrana. Systems running these versions of the open‑source database management tool are vulnerable, regardless of deployment size or environment, because the flaw is in unguarded code that all installations share.

Risk and Exploitability

With a CVSS score of 7.5, the flaw is considered high severity. An EPSS score of 5% indicates a moderate likelihood that an adversary will exploit it. The vulnerability is not listed in CISA’s KEV catalog. An attacker can trigger the DoS remotely by sending a crafted POST to the susceptible endpoint; no authentication or privileges are required, making the attack straightforward for any web host exposing Adminer.

Generated by OpenCVE AI on April 18, 2026 at 12:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adminer to version 5.4.2 or later, which corrects the origin validation and input handling.
  • If an upgrade is not immediately possible, restrict POST requests to /?script=version to trusted IP addresses or apply a WAF rule that blocks array parameters or missing origin headers.
  • Continuously monitor application logs for unexpected 500 responses or TypeError indications, and respond to any incidents promptly.

Generated by OpenCVE AI on April 18, 2026 at 12:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q4f2-39gr-45jh Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
History

Fri, 20 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Adminer
Adminer adminer
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*
Vendors & Products Adminer
Adminer adminer

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Vrana
Vrana adminer
Vendors & Products Vrana
Vrana adminer

Mon, 09 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Title Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adminer Adminer
Vrana Adminer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:57:46.865Z

Reserved: 2026-02-06T21:08:39.130Z

Link: CVE-2026-25892

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:31.665Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T22:16:04.023

Modified: 2026-02-20T20:24:32.147

Link: CVE-2026-25892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses