CVE-2026-34383
Received Received - Intake
CSRF Bypass in Admidio Inventory Module Allows Unauthorized Data Modification

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces. This issue has been patched in version 5.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34383
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
admidio admidio to 5.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Admidio, an open-source user management solution, specifically in versions prior to 5.0.8. The issue is in the inventory module's item_save endpoint, which accepts a user-controllable POST parameter named 'imported'. When this parameter is set to true, it bypasses both CSRF token validation and server-side form validation.

As a result, an authenticated user can send a crafted POST request to save arbitrary inventory item data without the usual CSRF protection and without the normal validation checks on the form fields. This could allow manipulation of inventory data in ways that are normally prevented.

This vulnerability was fixed in version 5.0.8 of Admidio.

Impact Analysis

The vulnerability allows an authenticated user to bypass CSRF protection and server-side validation when saving inventory item data. This means that an attacker with valid credentials could manipulate inventory data arbitrarily, potentially leading to data integrity issues.

Since the vulnerability does not affect confidentiality or availability, but impacts integrity, it could result in incorrect or malicious data being stored in the inventory system, which may affect business operations relying on accurate inventory information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Admidio to version 5.0.8 or later, where the issue has been patched.

Until the upgrade is applied, restrict authenticated user access to the inventory module's item_save endpoint to trusted users only, as the vulnerability allows bypassing CSRF and server-side validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34383. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart