Description
Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8.
Published: 2026-03-31
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized account approval by exploiting missing CSRF protection
Action: Immediate Patch
AI Analysis

Impact

The flaw allows a user to trigger approval of pending registrations through an unauthenticated GET request, because the create_user, assign_member, and assign_user actions in modules/registration.php lack CSRF token validation. A crafted link that contains a pending registration’s UUID can automatically approve the account when an authorized user with the rol_approve_users right clicks it. This bypasses the intended manual review, permitting the attacker to establish an account with whatever roles are granted by the approval workflow, thereby potentially elevating their privileges within the application. The weakness is categorized as a missing CSRF protection (CWE‑352).

Affected Systems

Admidio, the open‑source user‑management platform, is affected for all releases prior to version 5.0.8. Any installation where the registration approval features are enabled and users are granted the rol_approve_users right is potentially vulnerable. The issue exists specifically in the modules/registration.php file handling the create_user, assign_member, and assign_user action modes.

Risk and Exploitability

The CVSS score of 4.5 indicates a moderate impact, while the EPSS score of less than 1 % suggests that exploitation is uncommon. Because the flaw requires an authorized approver to click a crafted link, the attack surface is limited to applications that grant the rol_approve_users permission to a broader set of users. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via a crafted HTTP GET request delivered through phishing or social engineering; the attacker can pre‑generate the approval URL after submitting a pending registration and then trick a legitimate approver into visiting it.

Generated by OpenCVE AI on April 2, 2026 at 03:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Admidio 5.0.8 or newer
  • Limit the rol_approve_users permission to a restricted group of trusted users
  • Verify that all state‑changing actions in the deployment enforce CSRF tokens
  • Monitor logs for unexpected approval actions and audit new user creations

Generated by OpenCVE AI on April 2, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ph84-r98x-2j22 Admidio has Missing CSRF Protection on Registration Approval Actions
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*
Vendors & Products Admidio
Admidio admidio
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8.
Title Admidio: Missing CSRF Protection on Registration Approval Actions
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:53:47.600Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34384

cve-icon Vulnrichment

Updated: 2026-04-01T15:48:47.412Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.503

Modified: 2026-04-01T18:31:30.673

Link: CVE-2026-34384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:46Z

Weaknesses