CVE-2026-41658
Unauthorized Inventory Deletion in Admidio
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | to 5.0.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41658 is a vulnerability in the Admidio inventory module where destructive operations such as deleting, retiring, reinstating items, and managing item pictures lack proper authorization checks in the backend.
Although the UI hides buttons for these operations from non-administrators, the backend POST handlers do not verify if the user is an inventory administrator. They only perform CSRF validation.
As a result, any authenticated user with access to the inventory module can exploit these endpoints to permanently delete inventory items and their associated data, or manipulate them, even without administrative privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user to permanently delete inventory items and associated data without proper authorization checks. This unauthorized data destruction could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over data access and integrity.
Since the vulnerability enables irreversible deletion of data by users lacking administrative privileges, it undermines data security and auditability requirements commonly mandated by these standards.
How can this vulnerability impact me? :
This vulnerability can lead to irreversible data destruction within the inventory module of Admidio.
- Any authenticated user can permanently delete inventory items and all associated data.
- Attackers can perform bulk deletions or manipulate inventory items without proper authorization.
- The entire inventory database could be compromised, leading to potential operational disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the inventory module endpoints such as item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete.
Specifically, an attacker may send POST requests with item UUIDs to these endpoints without proper administrative privileges.
To detect exploitation attempts, you can inspect web server logs or use network monitoring tools to look for suspicious POST requests targeting these endpoints.
- Use command-line tools like curl or wget to simulate requests and verify if authorization checks are missing.
- Example curl command to test unauthorized deletion (replace URL and item UUID accordingly):
- curl -X POST -d "action=item_delete&item_uuid=TARGET_UUID" https://your-admidio-instance/modules/inventory.php
If the request succeeds without administrative credentials, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Admidio to version 5.0.9 or later, where this vulnerability has been patched.
This update adds proper authorization checks (isAdministratorInventory()) to all destructive backend endpoints.
Until the upgrade can be applied, restrict access to the inventory module endpoints to trusted administrative users only, for example by network-level controls or web server access restrictions.
Additionally, monitor logs for suspicious activity and consider temporarily disabling inventory destructive operations if possible.