Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials. This issue has been patched in version 5.0.9.
Published: 2026-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Admidio contains a path traversal flaw in ecard_preview.php that allows an authenticated user to supply a traversal payload for the ecard_template parameter. By directing the request to files under the web server's document root, the attacker can read any file the server process can access, including configuration files that contain database credentials. The weakness is mapped to CWE-22 and results in a confidentiality compromise without affecting integrity or availability.

Affected Systems

The flaw is present in all Admidio releases older than version 5.0.9. Admidio is an open‑source user management system applied in web environments that host the vulnerable endpoint.

Risk and Exploitability

The CVSS score for this vulnerability is 6.5, indicating moderate severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. Because the attacker must be authenticated to use the endpoint, a threat actor would need legitimate credentials, but once authenticated they can read arbitrary files that the web server can access. No remote code execution or privileged escalation is offered by this flaw.

Generated by OpenCVE AI on May 7, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.9 or later, which removes the path traversal check issue.
  • Restrict the ecard_preview.php endpoint so that only users with administrative rights can invoke it, limiting the attacker’s access scope.
  • Set appropriate file permissions on configuration files and other sensitive resources to prevent web server read access where possible.

Generated by OpenCVE AI on May 7, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m3vp-3jjm-gpmx Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials
History

Thu, 07 May 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials. This issue has been patched in version 5.0.9.
Title Admidio: Path Traversal in ECard Preview Allows Reading Arbitrary Server Files Including Database Credentials
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T02:55:37.512Z

Reserved: 2026-04-21T23:58:43.803Z

Link: CVE-2026-41655

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T04:16:28.470

Modified: 2026-05-07T04:16:28.470

Link: CVE-2026-41655

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:00:15Z

Weaknesses