Description
Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.
Published: 2026-03-20
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise through SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A second‑order SQL injection flaw in Admidio allows an attacker to execute arbitrary SQL commands. The vulnerability is triggered when user‑supplied column names, sort orders, and filter conditions are stored via prepared statements but later embedded unsanitized into dynamically constructed SQL queries. Successful exploitation can read, modify, or delete any database content, effectively compromising the entire data store.

Affected Systems

Admidio versions 5.0.6 and earlier are affected. The issue resides in the MyList configuration feature that permits authenticated users to define custom list layouts.

Risk and Exploitability

The CVSS score of 8 indicates high risk, and the EPSS score below 1% reflects a low probability of exploitation in the wild. The vulnerability is not listed as a known exploited vulnerability by CISA. Attackers would need valid user credentials to configure the list, after which the stored inputs are later used in an unsafe query. Once the second‑order injection is triggered, the attacker gains full database control.

Generated by OpenCVE AI on March 23, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.7 or later to fix the second‑order SQL injection vulnerability

Generated by OpenCVE AI on March 23, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3x67-4c2c-w45m Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
History

Mon, 23 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.
Title Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T14:39:28.844Z

Reserved: 2026-03-16T17:35:36.696Z

Link: CVE-2026-32813

cve-icon Vulnrichment

Updated: 2026-03-20T14:39:19.781Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:35.210

Modified: 2026-03-23T15:25:42.963

Link: CVE-2026-32813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:38Z

Weaknesses