7.5

CVE-2026-34381

Exploit

EPSS 0.07%
Veröffentlicht 31.03.2026 20:31:23
Zuletzt bearbeitet 01.04.2026 18:24:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Admidio ≫ Admidio Version >= 5.0.0 < 5.0.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.224

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88

Vendor Advisory

Exploit

Mitigation

https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-34381

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34381

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34381

EUVD