CVE-2021-43008

HIGH LAB

Adminer 1.12.0-4.6.2 - Arbitrary File Read via Remote MySQL Database Connection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-43008. PoCs published by p0dalirius, Bamolitho, DaturaSaturated.

AI-analyzed exploit summary This PoC exploits CVE-2021-43008, a local file read vulnerability in Adminer via SQL injection using the 'LOAD DATA LOCAL INFILE' feature. It authenticates to Adminer, executes arbitrary SQL queries, and reads local files by truncating a table and loading file contents into it.

Description

Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.

Exploits (3)

nomisec WORKING POC 88 stars
by p0dalirius · poc
https://github.com/p0dalirius/CVE-2021-43008-AdminerRead

This PoC exploits CVE-2021-43008, a local file read vulnerability in Adminer via SQL injection using the 'LOAD DATA LOCAL INFILE' feature. It authenticates to Adminer, executes arbitrary SQL queries, and reads local files by truncating a table and loading file contents into it.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Adminer (versions affected by CVE-2021-43008)
Auth required
Prerequisites: Valid Adminer credentials · Access to the Adminer web interface · Target table with write permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Bamolitho · poc
https://github.com/Bamolitho/adminer_CVE-2021-43008

This PoC demonstrates CVE-2021-43008, an arbitrary file read vulnerability in Adminer ≤ 4.6.2 via a rogue MySQL server exploiting the LOAD DATA LOCAL INFILE command.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Adminer ≤ 4.6.2
No auth needed
Prerequisites: A rogue MySQL server controlled by the attacker · Adminer instance configured to connect to external MySQL servers
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by DaturaSaturated · poc
https://github.com/DaturaSaturated/Adminer-CVE-2021-43008

This PoC exploits CVE-2021-43008, an SQL injection vulnerability in Adminer, by leveraging the 'LOAD DATA LOCAL INFILE' feature to read arbitrary files from the server. The exploit includes a setup script to configure a MySQL server for testing.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Adminer (version not specified)
Auth required
Prerequisites: Access to Adminer interface · Valid credentials · MySQL server with LOCAL INFILE enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vrana/adminer/releases/tag/v4.6.3
Product x_refsource_misc
https://www.adminer.org/
Exploit, Third Party Advisory x_refsource_misc
https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability
Exploit, Third Party Advisory x_refsource_misc
https://podalirius.net/en/cves/2021-43008/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html

Scores

CVSS v3 7.5
EPSS 0.8474
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/adminer:4.6.2
docker pull mysql:5.7

Details

Status published
Products (3)
adminer/adminer 1.12.0 - 4.6.2
debian/debian_linux 9.0
vrana/adminer 1.12.0 - 4.6.3Packagist
Published Apr 05, 2022
Tracked Since Feb 18, 2026