Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write,...

3.5 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.

Basic Information

ID CVE-2026-41663

Source GitHub_M

Published May 7, 2026 at 03:00

Affected Product

Vendor Admidio

Product admidio

Version < 5.0.9

Affected Versions Admidio admidio < 5.0.9

CWE Classification

CWE-352

References

{
    "lastseen": "",
    "description": "Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.",
    "published": "2026-05-07T03:00:11.696Z",
    "modified": "2026-05-07T03:00:11.696Z",
    "type": "cve",
    "title": "Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write, and Email Send",
    "source": "GitHub_M",
    "references": "https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j\nhttps://github.com/Admidio/admidio/releases/tag/v5.0.9",
    "id": "CVE-2026-41663",
    "bulletinFamily": "",
    "cwe": [
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "Admidio admidio < 5.0.9",
    "sourceHref": "",
    "cvss": {
        "score": 3.5,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "admidio",
    "version": "< 5.0.9",
    "vendor": "Admidio",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write, and Email Send_CVE-2026-41663