7.3

CVE-2026-34384

Exploit

Admidio: Missing CSRF Protection on Registration Approval Actions

Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AdmidioAdmidio Version < 5.0.8
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.065
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.3 2.1 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
security-advisories@github.com 4.5 0.9 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22
Vendor Advisory
Exploit
Mitigation
https://github.com/Admidio/admidio/commit/707171c188b3e8f36007fc3f2bccbfac896ed019
Patch