{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34384", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.619Z", "datePublished": "2026-03-31T20:34:37.789Z", "dateUpdated": "2026-04-01T15:53:47.600Z"}, "containers": {"cna": {"title": "Admidio: Missing CSRF Protection on Registration Approval Actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22"}, {"name": "https://github.com/Admidio/admidio/commit/707171c188b3e8f36007fc3f2bccbfac896ed019", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/commit/707171c188b3e8f36007fc3f2bccbfac896ed019"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": "< 5.0.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:34:37.789Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8."}], "source": {"advisory": "GHSA-ph84-r98x-2j22", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:48:30.626509Z", "id": "CVE-2026-34384", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:53:47.600Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34384", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.619Z", "datePublished": "2026-03-31T20:34:37.789Z", "dateUpdated": "2026-04-01T15:53:47.600Z"}, "containers": {"cna": {"title": "Admidio: Missing CSRF Protection on Registration Approval Actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22"}, {"name": "https://github.com/Admidio/admidio/commit/707171c188b3e8f36007fc3f2bccbfac896ed019", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/commit/707171c188b3e8f36007fc3f2bccbfac896ed019"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": "< 5.0.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:34:37.789Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8."}], "source": {"advisory": "GHSA-ph84-r98x-2j22", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34384", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T15:48:30.626509Z"}}}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:48:47.412Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "matchCriteriaId": "943C8893-5336-477E-9026-C55A9659B1EA", "versionEndExcluding": "5.0.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8."}], "id": "CVE-2026-34384", "lastModified": "2026-04-01T18:31:30.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T21:16:30.503", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Admidio/admidio/commit/707171c188b3e8f36007fc3f2bccbfac896ed019"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-04-02T03:53:51.016195+00:00", "value": {"mitigation_remediation": ["Upgrade to Admidio 5.0.8 or newer", "Limit the rol_approve_users permission to a restricted group of trusted users", "Verify that all state\u2011changing actions in the deployment enforce CSRF tokens", "Monitor logs for unexpected approval actions and audit new user creations"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized account approval by exploiting missing CSRF protection"}, "threat_synthesis": {"affected_systems": "Admidio, the open\u2011source user\u2011management platform, is affected for all releases prior to version 5.0.8. Any installation where the registration approval features are enabled and users are granted the rol_approve_users right is potentially vulnerable. The issue exists specifically in the modules/registration.php file handling the create_user, assign_member, and assign_user action modes.", "description_and_impact": "The flaw allows a user to trigger approval of pending registrations through an unauthenticated GET request, because the create_user, assign_member, and assign_user actions in modules/registration.php lack CSRF token validation. A crafted link that contains a pending registration\u2019s UUID can automatically approve the account when an authorized user with the rol_approve_users right clicks it. This bypasses the intended manual review, permitting the attacker to establish an account with whatever roles are granted by the approval workflow, thereby potentially elevating their privileges within the application. The weakness is categorized as a missing CSRF protection (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 4.5 indicates a moderate impact, while the EPSS score of less than 1\u202f% suggests that exploitation is uncommon. Because the flaw requires an authorized approver to click a crafted link, the attack surface is limited to applications that grant the rol_approve_users permission to a broader set of users. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via a crafted HTTP GET request delivered through phishing or social engineering; the attacker can pre\u2011generate the approval URL after submitting a pending registration and then trick a legitimate approver into visiting it."}}}}, "created": "2026-04-02T07:52:32.622187+00:00", "updated": "2026-04-02T20:10:46.574981+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}