CVE-2026-34383 - Vulnerability Details

- Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter

Description

Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces. This issue has been patched in version 5.0.8.

Published: 2026-03-31

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the inventory module of Admidio, a POST parameter named "imported" can be set to true to bypass both CSRF token validation and server‑side form validation. An authenticated user can therefore craft a direct POST request to the item_save endpoint and store arbitrary inventory data without the usual checks. This flaw permits unauthorized modification of inventory records, undermining data integrity and potentially allowing malicious changes to the system’s contents. The vulnerability is a classic case of inadequate input validation (CWE-20) coupled with a server‑side CSRF bypass (CWE-352).

Affected Systems

Admidio versions prior to 5.0.8 are affected. The flaw resides solely in the inventory module’s item_save endpoint. The issue has been resolved by patching the software to version 5.0.8 or later.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, further implying limited known exploitation activity. Exploitation requires an authenticated session; an attacker who obtains valid credentials can send a crafted request to the vulnerable endpoint and effect arbitrary changes to inventory data. While the risk is moderate, the low exploitation likelihood makes timely patching a prudent priority to mitigate potential data integrity issues.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Admidio

admidio

affected

Version	Status	Constraints
`< 5.0.8`	affected	—

Configuration 1 [-]

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Admidio

100%

Version	Status	Scheme	Platform
`[0,5.0.8)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Admidio to version 5.0.8 or later.

Generated by OpenCVE AI on April 2, 2026 at 03:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4rwm-c5mj-wh7x	Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Admidio/admidio/commit/00494b95dfe847af8b938e4397e5d909d8f36839
https://github.com/Admidio/admidio/security/advisories/GHSA-4rwm-c5mj-wh7x

History

Fri, 03 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admidio Admidio admidio
CPEs		cpe:2.3:a:admidio:admidio::::::::
Vendors & Products		Admidio Admidio admidio

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces. This issue has been patched in version 5.0.8.
Title		Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Weaknesses		CWE-20 CWE-352
References		https://github.com/Admidio/admidio/commit/00494b95dfe847af8b938e4397e5d909d8f36839 https://github.com/Admidio/admidio/security/advisories/GHSA-4rwm-c5mj-wh7x
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Admidio Admidio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T20:33:40.534Z

Updated: 2026-04-03T16:30:33.884Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34383

Vulnrichment

Updated: 2026-04-03T16:30:28.541Z

NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.343

Modified: 2026-04-01T18:28:06.967

Link: CVE-2026-34383

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:10:47Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object