CVE-2026-41663
CSRF Vulnerability in Admidio Preferences Module
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | to 5.0.9 (exc) |
| admidio | admidio | 5.0.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41663 is a Cross-Site Request Forgery (CSRF) vulnerability in Admidio versions 5.0.8 and earlier. It affects the preferences module where certain administrative operationsβsuch as database backup, sending test emails, and generating .htaccess filesβare triggered via GET requests without CSRF token validation.
Because the SameSite=Lax cookie setting allows cookies to be sent with top-level cross-origin GET requests, an attacker can trick an authenticated administrator into visiting a malicious page that causes these sensitive actions to be executed without their explicit consent.
This vulnerability arises because these operations lack CSRF protection, unlike other actions in the module that require POST requests and token validation. The issue was fixed in Admidio version 5.0.9 by enforcing POST requests and adding CSRF token checks.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized execution of administrative actions by an attacker leveraging an authenticated administrator's session.
- Unauthorized database backups that consume server resources.
- Overwriting the .htaccess file, which can disrupt routing or security headers.
- Sending test emails, which could be exploited for spam or to probe internal mail systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves administrative operations in Admidio's preferences module being triggered via GET requests without CSRF token validation. To detect exploitation attempts on your network or system, you can monitor HTTP GET requests to the preferences module endpoints that perform actions like database backup, test email sending, or .htaccess generation.
Specifically, look for GET requests to URLs containing parameters or paths related to 'backup', 'test_email', or 'htaccess' in the modules/preferences.php file.
Example commands to detect such requests in web server logs (assuming Apache logs):
- grep 'GET .*modules/preferences.php.*backup' /var/log/apache2/access.log
- grep 'GET .*modules/preferences.php.*test_email' /var/log/apache2/access.log
- grep 'GET .*modules/preferences.php.*htaccess' /var/log/apache2/access.log
Additionally, monitoring for unusual or unexpected GET requests from authenticated admin users to these endpoints may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Admidio to version 5.0.9 or later, where this vulnerability has been patched by enforcing POST requests and adding CSRF token validation for the affected administrative operations.
Additional immediate steps include:
- Restrict access to the preferences module to trusted administrators only.
- Configure session cookies with the SameSite=Strict attribute to prevent them from being sent with cross-origin requests.
- Implement confirmation prompts for destructive actions such as database backups to prevent unintended execution.
These mitigations reduce the risk of CSRF exploitation until the software can be updated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to perform unauthorized administrative actions such as database backups, sending test emails, and overwriting .htaccess files by exploiting the lack of CSRF protection in certain GET requests. While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such unauthorized actions could potentially lead to data exposure or disruption of security controls, which may impact compliance with regulations that require protection of personal data and secure system operations.
Specifically, unauthorized database backups could expose sensitive data, and overwriting .htaccess files could weaken security configurations, both of which are relevant to regulatory requirements for data protection and system integrity.