CVE-2026-34382 - Vulnerability Details

- Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php

Description

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.

Published: 2026-03-31

Score: 4.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Admidio

admidio

affected

Version	Status	Constraints
`>= 5.0.0, < 5.0.8`	affected	—

Configuration 1 [-]

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Admidio

100%

Version	Status	Scheme	Platform
`[5.0.0,5.0.8)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-g3mx-8jm6-rc85	Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Admidio/admidio/commit/317ec91ad3baf19d4179db6c32413812eb36d7ca
https://github.com/Admidio/admidio/security/advisories/GHSA-g3mx-8jm6-rc85

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admidio Admidio admidio
CPEs		cpe:2.3:a:admidio:admidio::::::::
Vendors & Products		Admidio Admidio admidio
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
Title		Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php
Weaknesses		CWE-352
References		https://github.com/Admidio/admidio/commit/317ec91ad3baf19d4179db6c32413812eb36d7ca https://github.com/Admidio/admidio/security/advisories/GHSA-g3mx-8jm6-rc85
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L'}`

Subscriptions

Admidio Admidio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T20:32:35.032Z

Updated: 2026-04-01T18:42:45.890Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34382

Vulnrichment

Updated: 2026-04-01T18:42:42.434Z

NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.180

Modified: 2026-04-01T18:25:24.703

Link: CVE-2026-34382

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:10:48Z

Weaknesses

CWE-352

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object