CVE-2026-34383

MEDIUM

Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter

Title source: cna

Description

Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces. This issue has been patched in version 5.0.8.

References (2)

[X_Refsource_Confirm] https://github.com/Admidio/admidio/security/advisories/GHSA-4rwm-c5mj-wh7x

[X_Refsource_Misc] https://github.com/Admidio/admidio/commit/00494b95dfe847af8b938e4397e5d909d8f36839

View Writeup ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 7.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-352

Status published

Products (3)

admidio/admidio < 5.0.8

admidio/admidio 0 - 5.0.8Packagist

Admidio/admidio < 5.0.8

Published Mar 31, 2026

Tracked Since Apr 01, 2026