CVE-2026-25892
Undergoing Analysis Undergoing Analysis - In Progress
TypeError Vulnerability in Adminer Version Check Causes DoS

Publication date: 2026-02-09

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25892
EUVD
EUVD-2026-6870
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
adminer adminer From 4.6.2 (inc) to 5.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Adminer, an open-source database management software, specifically in versions 5.4.1 and earlier. The issue arises from the version check mechanism where adminer.org sends signed version information via JavaScript postMessage. The browser then POSTs this data to the ?script=version endpoint. This endpoint does not validate the origin of the POST request and accepts data from any source.

An attacker can exploit this by sending a POST request with a version[] parameter, which PHP converts into an array. When the page loads next, the function openssl_verify() expects a string but instead receives an array, causing it to throw a TypeError. This results in an HTTP 500 error being returned to all users.

The recommended mitigation is to upgrade Adminer to version 5.4.2 or later.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition for all users of the affected Adminer installation. Because the openssl_verify() function throws a TypeError when it receives an unexpected array instead of a string, the server returns an HTTP 500 error on page loads, effectively making the service unavailable.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if your Adminer installation is version 5.4.1 or earlier and by monitoring for HTTP 500 errors caused by the openssl_verify() function receiving unexpected data types.

You can attempt to reproduce the issue by sending a POST request to the ?script=version endpoint with a crafted version[] parameter to see if the server returns HTTP 500 errors.

Example command using curl to test the vulnerability:

  • curl -X POST -d "version[]=test" https://your-adminer-url/?script=version -v

If the server responds with HTTP 500 errors, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Adminer to version 5.4.2 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, consider restricting access to the ?script=version endpoint to trusted sources only, for example by using firewall rules or web server configuration.

Additionally, monitor your logs for HTTP 500 errors related to this endpoint as an indicator of exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart