Executive Summary

CVE-2026-41663 is a Cross-Site Request Forgery (CSRF) vulnerability in Admidio versions 5.0.8 and earlier. It affects the preferences module where certain administrative operations—such as database backup, sending test emails, and generating .htaccess files—are triggered via GET requests without CSRF token validation.

Because the SameSite=Lax cookie setting allows cookies to be sent with top-level cross-origin GET requests, an attacker can trick an authenticated administrator into visiting a malicious page that causes these sensitive actions to be executed without their explicit consent.

This vulnerability arises because these operations lack CSRF protection, unlike other actions in the module that require POST requests and token validation. The issue was fixed in Admidio version 5.0.9 by enforcing POST requests and adding CSRF token checks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized execution of administrative actions by an attacker leveraging an authenticated administrator's session.

• Unauthorized database backups that consume server resources.
• Overwriting the .htaccess file, which can disrupt routing or security headers.
• Sending test emails, which could be exploited for spam or to probe internal mail systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves administrative operations in Admidio's preferences module being triggered via GET requests without CSRF token validation. To detect exploitation attempts on your network or system, you can monitor HTTP GET requests to the preferences module endpoints that perform actions like database backup, test email sending, or .htaccess generation.

Specifically, look for GET requests to URLs containing parameters or paths related to 'backup', 'test_email', or 'htaccess' in the modules/preferences.php file.

Example commands to detect such requests in web server logs (assuming Apache logs):

• grep 'GET .*modules/preferences.php.*backup' /var/log/apache2/access.log
• grep 'GET .*modules/preferences.php.*test_email' /var/log/apache2/access.log
• grep 'GET .*modules/preferences.php.*htaccess' /var/log/apache2/access.log

Additionally, monitoring for unusual or unexpected GET requests from authenticated admin users to these endpoints may help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Admidio to version 5.0.9 or later, where this vulnerability has been patched by enforcing POST requests and adding CSRF token validation for the affected administrative operations.

Additional immediate steps include:

• Restrict access to the preferences module to trusted administrators only.
• Configure session cookies with the SameSite=Strict attribute to prevent them from being sent with cross-origin requests.
• Implement confirmation prompts for destructive actions such as database backups to prevent unintended execution.

These mitigations reduce the risk of CSRF exploitation until the software can be updated.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to perform unauthorized administrative actions such as database backups, sending test emails, and overwriting .htaccess files by exploiting the lack of CSRF protection in certain GET requests. While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such unauthorized actions could potentially lead to data exposure or disruption of security controls, which may impact compliance with regulations that require protection of personal data and secure system operations.

Specifically, unauthorized database backups could expose sensitive data, and overwriting .htaccess files could weaken security configurations, both of which are relevant to regulatory requirements for data protection and system integrity.

Useful 0 Not Useful 0