CVE-2026-32813
Second-Order SQL Injection in Admidio MyList Leads to Full DB Compromise
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | to 5.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32813 is a high-severity second-order SQL injection vulnerability in Admidio versions 5.0.6 and below. It occurs in the MyList configuration feature, which allows authenticated users to define custom list column layouts by storing user-supplied column names, sort directions, and filter conditions in the database using prepared statements.
Although the inputs are safely stored, they are later read back and directly interpolated into dynamically constructed SQL queries without proper sanitization or parameterization. This unsafe read phase enables attackers to inject arbitrary SQL commands.
The vulnerability arises because column names are only trivially validated by prefix checks, sort directions are not validated server-side, and filter conditions are not sanitized. An attacker with authenticated access and list edit permissions can exploit this to execute arbitrary SQL queries.
How can this vulnerability impact me? :
This vulnerability can lead to full database compromise. An attacker can read, modify, or delete any data in the database by injecting arbitrary SQL commands.
- Data exfiltration including sensitive information such as password hashes, emails, and personal data.
- Data modification or deletion through stacked queries supported by MySQL PDO.
- Privilege escalation within the application.
The injected malicious payload persists in the database and triggers every time the list is viewed, allowing continuous exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or malicious SQL queries originating from the MyList configuration feature in Admidio, especially those involving the adm_list_columns table.'}, {'type': 'paragraph', 'content': 'Since the injection occurs when stored values like lsc_special_field, lsc_sort, and lsc_filter are interpolated into SQL queries without sanitization, detection can focus on identifying suspicious entries in the adm_list_columns database table or anomalous SQL query patterns.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation or presence of malicious payloads include:'}, {'type': 'list_item', 'content': "Query the adm_list_columns table for suspicious or unexpected values in the lsc_special_field column, such as those containing SQL keywords or unusual syntax (e.g., 'usr_id FROM adm_users)--'):"}, {'type': 'list_item', 'content': "SELECT * FROM adm_list_columns WHERE lsc_special_field LIKE '%FROM%' OR lsc_special_field LIKE '%--%';"}, {'type': 'list_item', 'content': "Check for suspicious sort values in lsc_sort that include SQL expressions beyond 'ASC' or 'DESC':"}, {'type': 'list_item', 'content': "SELECT * FROM adm_list_columns WHERE lsc_sort NOT IN ('ASC', 'DESC', '');"}, {'type': 'list_item', 'content': 'Monitor database logs or enable query logging to detect dynamically constructed SQL queries containing injected payloads, especially those triggered when viewing lists (e.g., lists_show.php).'}, {'type': 'list_item', 'content': 'Review web application logs for authenticated user actions involving list configuration edits, as exploitation requires authenticated users with list edit permissions.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Admidio to version 5.0.7 or later, where this vulnerability has been fixed.
If upgrading is not immediately possible, consider the following actions:
- Restrict or disable the MyList configuration feature for authenticated users who do not require list editing permissions.
- Implement strict server-side validation or filtering of inputs related to lsc_special_field, lsc_sort, and lsc_filter to allow only known safe values.
- Review and clean the adm_list_columns table to remove any suspicious or malicious stored values that could trigger SQL injection.
- Monitor and audit authenticated user activities related to list configurations to detect potential exploitation attempts.
- Apply web application firewall (WAF) rules to detect and block SQL injection patterns targeting the MyList feature.