CVE-2026-25892
TypeError Vulnerability in Adminer Version Check Causes DoS
Publication date: 2026-02-09
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adminer | adminer | From 4.6.2 (inc) to 5.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Adminer, an open-source database management software, specifically in versions 5.4.1 and earlier. The issue arises from the version check mechanism where adminer.org sends signed version information via JavaScript postMessage. The browser then POSTs this data to the ?script=version endpoint. This endpoint does not validate the origin of the POST request and accepts data from any source.
An attacker can exploit this by sending a POST request with a version[] parameter, which PHP converts into an array. When the page loads next, the function openssl_verify() expects a string but instead receives an array, causing it to throw a TypeError. This results in an HTTP 500 error being returned to all users.
The recommended mitigation is to upgrade Adminer to version 5.4.2 or later.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition for all users of the affected Adminer installation. Because the openssl_verify() function throws a TypeError when it receives an unexpected array instead of a string, the server returns an HTTP 500 error on page loads, effectively making the service unavailable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Adminer installation is version 5.4.1 or earlier and by monitoring for HTTP 500 errors caused by the openssl_verify() function receiving unexpected data types.
You can attempt to reproduce the issue by sending a POST request to the ?script=version endpoint with a crafted version[] parameter to see if the server returns HTTP 500 errors.
Example command using curl to test the vulnerability:
- curl -X POST -d "version[]=test" https://your-adminer-url/?script=version -v
If the server responds with HTTP 500 errors, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Adminer to version 5.4.2 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, consider restricting access to the ?script=version endpoint to trusted sources only, for example by using firewall rules or web server configuration.
Additionally, monitor your logs for HTTP 500 errors related to this endpoint as an indicator of exploitation attempts.