CVE-2026-34382
CSRF Vulnerability in Admidio Deletes Critical List Configurations
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | From 5.0.0 (inc) to 5.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Admidio, an open-source user management solution, specifically in versions from 5.0.0 to before 5.0.8. The issue is in the delete mode handler within the mylist_function.php file, which permanently deletes list configurations without checking for a CSRF (Cross-Site Request Forgery) token. This means that an attacker can trick an authenticated user into visiting a malicious webpage that silently deletes that user's list configurations. If the victim has administrator rights, this can include organization-wide shared lists.
How can this vulnerability impact me? :
The vulnerability can lead to the permanent deletion of list configurations in Admidio without the user's consent. This can disrupt user and organizational workflows by removing important shared lists, especially if the affected user has administrator privileges. The impact includes loss of data integrity and availability of critical configuration data, potentially causing administrative and operational difficulties.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Admidio to version 5.0.8 or later, where the issue has been patched.
Additionally, avoid visiting untrusted or malicious web pages while authenticated to Admidio to reduce the risk of CSRF attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to delete list configurations, including organization-wide shared lists, without proper authorization due to lack of CSRF token validation. This could lead to unauthorized modification or destruction of user data configurations.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the unauthorized deletion of data configurations could potentially impact compliance by compromising data integrity and availability, which are important aspects of these regulations.
Organizations using affected versions of Admidio should consider the risk of this vulnerability in their compliance assessments and apply the patch in version 5.0.8 to mitigate the issue.