CVE-2026-34383
CSRF Bypass in Admidio Inventory Module Allows Unauthorized Data Modification
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | to 5.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Admidio, an open-source user management solution, specifically in versions prior to 5.0.8. The issue is in the inventory module's item_save endpoint, which accepts a user-controllable POST parameter named 'imported'. When this parameter is set to true, it bypasses both CSRF token validation and server-side form validation.
As a result, an authenticated user can send a crafted POST request to save arbitrary inventory item data without the usual CSRF protection and without the normal validation checks on the form fields. This could allow manipulation of inventory data in ways that are normally prevented.
This vulnerability was fixed in version 5.0.8 of Admidio.
How can this vulnerability impact me? :
The vulnerability allows an authenticated user to bypass CSRF protection and server-side validation when saving inventory item data. This means that an attacker with valid credentials could manipulate inventory data arbitrarily, potentially leading to data integrity issues.
Since the vulnerability does not affect confidentiality or availability, but impacts integrity, it could result in incorrect or malicious data being stored in the inventory system, which may affect business operations relying on accurate inventory information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Admidio to version 5.0.8 or later, where the issue has been patched.
Until the upgrade is applied, restrict authenticated user access to the inventory module's item_save endpoint to trusted users only, as the vulnerability allows bypassing CSRF and server-side validation.