Description
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.
Published: 2026-03-31
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access and disclosure of protected documents
Action: Patch immediately
AI Analysis

Impact

Admidio versions 5.0.0 through 5.0.7 allow uploaded files in the documents module to be accessed directly via HTTP because the .htaccess file that is meant to block access is ignored when the Apache configuration uses AllowOverride None. The vulnerability is caused by improper enforcement of access control, resulting in potentially sensitive documents being exposed without authentication. This weakness corresponds to CWE‑284, which addresses unauthorized access control.

Affected Systems

The flaw affects the Admidio user‑management application, specifically versions 5.0.0 up to, but not including, 5.0.8. The issue is present in the official Docker image where the Apache instance is configured with AllowOverride None. It applies to any deployment of Admidio in this range that utilizes the same Apache configuration, regardless of the underlying operating system.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑high severity, while the EPSS score of less than 1% suggests low current exploitation activity and the vulnerability is not listed in CISA’s KEV catalog. An attacker can leverage this flaw by taking the file path disclosed in the upload response JSON and making a GET request to that URL, thereby retrieving the file without authentication. The attack requires no special privileges or exploitation code, only the configuration gap where .htaccess directives are ignored.

Generated by OpenCVE AI on April 2, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.8 or later
  • If immediate upgrade is not possible, modify the Apache configuration to enable AllowOverride (e.g., set AllowOverride All) for the adm_my_files directory so that the .htaccess file is respected
  • If changing the Apache configuration is infeasible, delete or relocate any existing uploaded files that may be publicly accessible, and consider removing the adm_my_files directory from the web‑reachable path
  • Verify that future deployments use the latest Docker image or apply the patched container image

Generated by OpenCVE AI on April 2, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7fh7-8xqm-3g88 Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*
Vendors & Products Admidio
Admidio admidio
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.
Title Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:41:03.359Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34381

cve-icon Vulnrichment

Updated: 2026-04-01T13:40:52.466Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.013

Modified: 2026-04-01T18:24:07.830

Link: CVE-2026-34381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:49Z

Weaknesses