Description
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
Published: 2026-03-31
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Loss
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Admidio’s mylist_function.php, where the deletion of list configurations is performed without validating a CSRF token. An attacker can cause an authenticated user to send a delete request that permanently removes the targeted list configuration. If the victim holds administrator rights, organization‑wide shared lists can also be destroyed, resulting in irreversible data loss that can disrupt collaboration and system configurations.

Affected Systems

Admidio versions 5.0.0 through 5.0.7 are affected. The issue was addressed in version 5.0.8, which restores CSRF protection for list deletion. Installations that have not applied this update remain vulnerable.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability does not require special environmental conditions; however, the only stated prerequisite is an authenticated user visiting a malicious link. The likely attack vector is social engineering whereby an attacker lures the user to a malicious page that triggers the deletion. Since the flaw allows permanent deletion of configuration data, it poses a significant risk to data integrity for organizations that rely on shared lists. It is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 2, 2026 at 04:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Admidio to version 5.0.8 or later to re‑enable CSRF protection for list deletion.
  • If an upgrade cannot be applied immediately, restrict the delete endpoint to only those users who absolutely require that privilege.
  • Monitor application logs for unexpected delete operations and investigate any anomalies.
  • Verify that other state‑changing actions in the application also enforce CSRF tokens to prevent similar vulnerabilities.
  • Educate users about the risks of clicking on unfamiliar links and emphasize the need to confirm the legitimacy of administrative interfaces before responding to prompts.

Generated by OpenCVE AI on April 2, 2026 at 04:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g3mx-8jm6-rc85 Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*
Vendors & Products Admidio
Admidio admidio
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
Title Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:42:45.890Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34382

cve-icon Vulnrichment

Updated: 2026-04-01T18:42:42.434Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.180

Modified: 2026-04-01T18:25:24.703

Link: CVE-2026-34382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:48Z

Weaknesses