CVE-2026-34382
Received Received - Intake
CSRF Vulnerability in Admidio Deletes Critical List Configurations

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations β€” including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34382
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
admidio admidio From 5.0.0 (inc) to 5.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to delete list configurations, including organization-wide shared lists, without proper authorization due to lack of CSRF token validation. This could lead to unauthorized modification or destruction of user data configurations.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the unauthorized deletion of data configurations could potentially impact compliance by compromising data integrity and availability, which are important aspects of these regulations.

Organizations using affected versions of Admidio should consider the risk of this vulnerability in their compliance assessments and apply the patch in version 5.0.8 to mitigate the issue.

Executive Summary

This vulnerability exists in Admidio, an open-source user management solution, specifically in versions from 5.0.0 to before 5.0.8. The issue is in the delete mode handler within the mylist_function.php file, which permanently deletes list configurations without checking for a CSRF (Cross-Site Request Forgery) token. This means that an attacker can trick an authenticated user into visiting a malicious webpage that silently deletes that user's list configurations. If the victim has administrator rights, this can include organization-wide shared lists.

Impact Analysis

The vulnerability can lead to the permanent deletion of list configurations in Admidio without the user's consent. This can disrupt user and organizational workflows by removing important shared lists, especially if the affected user has administrator privileges. The impact includes loss of data integrity and availability of critical configuration data, potentially causing administrative and operational difficulties.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Admidio to version 5.0.8 or later, where the issue has been patched.

Additionally, avoid visiting untrusted or malicious web pages while authenticated to Admidio to reduce the risk of CSRF attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34382. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart