Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link that registers an arbitrary server file (e.g., install/config.php containing database credentials) into a documents folder accessible to the attacker. This issue has been patched in version 5.0.9.
Published: 2026-05-07
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to include an arbitrary server file by providing a ‘name’ parameter containing path traversal characters (../) to the add mode in modules/documents-files.php. Because the parameter is only validated as a generic string and no CSRF token is required, an attacker can trick a documents administrator into clicking a crafted link that registers a server file such as install/config.php into a documents folder that is subsequently accessible to the attacker. This results in expression of sensitive configuration data, including database credentials, over the web. The weakness is a classic Path Traversal flaw (CWE‑22).

Affected Systems

All Admidio installations running a version prior to 5.0.9 are vulnerable; the issue was fixed starting with version 5.0.9.

Risk and Exploitability

The CVSS score of 4.5 indicates a moderate severity. The EPSS score is not publicly available and the vulnerability is not listed in CISA KEV. Exploitation requires a social‑engineering step to get a privileged administrator to click a malicious link, and the attack relies on the lack of CSRF protection and SameSite=Lax cookie policy. Overall, the risk is moderate with a relatively low likelihood of widespread exploitation.

Generated by OpenCVE AI on May 7, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.9 or later.
  • Disable the 'add mode' of modules/documents-files.php for administrative users until the vulnerability is patched, or restrict access to that endpoint to privileged users only.
  • Implement CSRF protection and enforce SameSite=Strict cookies on all sessions to mitigate social engineering attack vectors.

Generated by OpenCVE AI on May 7, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m9h6-8pqm-xrhf Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link that registers an arbitrary server file (e.g., install/config.php containing database credentials) into a documents folder accessible to the attacker. This issue has been patched in version 5.0.9.
Title Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:05:24.521Z

Reserved: 2026-04-21T23:58:43.803Z

Link: CVE-2026-41656

cve-icon Vulnrichment

Updated: 2026-05-07T14:05:12.793Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:28.633

Modified: 2026-05-07T15:16:08.050

Link: CVE-2026-41656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:00:16Z

Weaknesses