CVE-2026-34384
Received Received - Intake
CSRF Vulnerability in Admidio Registration Approval Allows Unauthorized User Activation

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34384
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
admidio admidio to 5.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Admidio versions prior to 5.0.8. The create_user, assign_member, and assign_user actions in the registration module approve pending user registrations via GET requests without validating a CSRF token. This means these actions perform irreversible state changes without protection against Cross-Site Request Forgery attacks.

An attacker who has submitted a pending registration can obtain their own user UUID from the registration confirmation email URL and then trick a user with the rol_approve_users right into visiting a crafted URL. This URL automatically approves the registration, bypassing the manual approval workflow.

This issue was fixed in version 5.0.8 by adding proper CSRF token validation.

Impact Analysis

The vulnerability allows an attacker to bypass the manual user registration approval process by tricking an authorized user into visiting a malicious URL. This can lead to unauthorized user accounts being approved automatically.

As a result, unauthorized users could gain access to the system with roles or permissions that should have been manually approved, potentially leading to privilege escalation or unauthorized actions within the application.

Mitigation Strategies

The vulnerability is fixed in Admidio version 5.0.8. Immediate mitigation involves upgrading Admidio to version 5.0.8 or later.

Until the upgrade can be performed, restrict or monitor access to the modules/registration.php file, especially the create_user, assign_member, and assign_user action modes, to prevent unauthorized GET requests that approve user registrations without CSRF token validation.

Additionally, review and limit the users who have the rol_approve_users right to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34384. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart