CVE-2026-34382 - Vulnerability Details

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation poc

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Admidio

admidio

affected

Version	Status	Constraints
`>= 5.0.0, < 5.0.8`	affected	—

Configuration 1 [-]

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

No data.

Project Subscriptions

Vendors	Products
Admidio Subscribe	Admidio Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-g3mx-8jm6-rc85	Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Admidio/admidio/commit/317ec91ad3baf19d4179db6c32413812eb36d7ca
https://github.com/Admidio/admidio/security/advisories/GHSA-g3mx-8jm6-rc85

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admidio Admidio admidio
CPEs		cpe:2.3:a:admidio:admidio::::::::
Vendors & Products		Admidio Admidio admidio
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
Title		Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php
Weaknesses		CWE-352
References		https://github.com/Admidio/admidio/commit/317ec91ad3baf19d4179db6c32413812eb36d7ca https://github.com/Admidio/admidio/security/advisories/GHSA-g3mx-8jm6-rc85
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T20:32:35.032Z

Updated: 2026-04-01T18:42:45.890Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34382

Vulnrichment

Updated: 2026-04-01T18:42:42.434Z

NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.180

Modified: 2026-04-01T18:25:24.703

Link: CVE-2026-34382

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-352

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object