CVE-2026-34382 Overview
CVE-2026-34382 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Admidio, an open-source user management solution. The vulnerability exists in the delete mode handler within mylist_function.php, which permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights.
Critical Impact
Authenticated users, particularly administrators, can have their list configurations — including organization-wide shared lists — permanently deleted through a CSRF attack without any user interaction beyond visiting a malicious page.
Affected Products
- Admidio versions 5.0.0 through 5.0.7
- Users with list configuration privileges
- Administrators with access to organization-wide shared lists
Discovery Timeline
- 2026-03-31 - CVE-2026-34382 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34382
Vulnerability Analysis
This vulnerability stems from the absence of CSRF token validation in the delete mode handler of the mylist_function.php file. The affected endpoint processes deletion requests for list configurations without verifying that the request originated from a legitimate session within the Admidio application. This allows an attacker to craft a malicious page that, when visited by an authenticated Admidio user, automatically submits a forged request to delete list configurations.
The impact is particularly severe when targeting administrators, as they have access to organization-wide shared lists. Successful exploitation results in permanent data loss with no confirmation dialog or additional authentication check protecting the destructive action.
Root Cause
The root cause is improper validation of user requests (CWE-352). The delete operation in mylist_function.php failed to implement CSRF token verification before processing deletion requests. This missing security control allowed cross-origin requests to execute privileged actions on behalf of authenticated users.
Attack Vector
The vulnerability is exploitable over the network and requires user interaction. An attacker must craft a malicious webpage containing a forged request targeting the vulnerable endpoint. When an authenticated Admidio user visits this malicious page while logged into their Admidio instance, the browser automatically includes the user's session cookies with the forged request, effectively allowing the attacker to execute the delete action with the victim's privileges.
The following patch was applied in version 5.0.8 to address this vulnerability by implementing CSRF token validation:
throw new Exception('SYS_MODULE_DISABLED');
}
+ // check the CSRF token of the form against the session token
+ $myListForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
+ if ($_POST['adm_csrf_token'] !== $myListForm->getCsrfToken()) {
+ throw new Exception('Invalid or missing CSRF token!');
+ }
// At least one field should be assigned (has a non-empty value)
if (
empty($_POST['column']) ||
Source: GitHub Commit Details
Detection Methods for CVE-2026-34382
Indicators of Compromise
- Unexpected deletion of list configurations without user-initiated action
- HTTP POST requests to mylist_function.php originating from external referrers
- Audit logs showing list deletions occurring shortly after users visited external websites
- Multiple list configurations deleted in rapid succession across different user accounts
Detection Strategies
- Monitor web server access logs for requests to mylist_function.php with external or missing Referer headers
- Implement Content Security Policy (CSP) headers to restrict form submissions to same-origin requests
- Review Admidio audit logs for unexpected deletion events, particularly affecting shared organization lists
- Deploy web application firewall (WAF) rules to detect cross-origin POST requests to sensitive endpoints
Monitoring Recommendations
- Enable detailed logging for all list configuration changes within Admidio
- Configure alerts for bulk deletion activities or deletions by administrator accounts
- Monitor for anomalous user session activity patterns that may indicate CSRF exploitation
- Regularly audit list configurations to detect unauthorized modifications or deletions
How to Mitigate CVE-2026-34382
Immediate Actions Required
- Upgrade Admidio to version 5.0.8 or later immediately
- Review audit logs for any suspicious list configuration deletions since deploying affected versions
- Restore any deleted list configurations from backups if exploitation is suspected
- Educate administrators about the risks of visiting untrusted websites while logged into Admidio
Patch Information
The vulnerability has been patched in Admidio version 5.0.8. The fix implements CSRF token validation by checking the adm_csrf_token POST parameter against the session's stored token before processing any delete operations. Organizations should upgrade to version 5.0.8 or later by following the official upgrade documentation.
For detailed patch information, refer to the GitHub Security Advisory and the commit implementing the fix.
Workarounds
- Restrict access to Admidio through IP whitelisting until the patch can be applied
- Implement reverse proxy rules to reject requests to mylist_function.php with external referrers
- Advise users to use dedicated browser profiles for Admidio administration tasks
- Temporarily disable list configuration deletion functionality at the application level if feasible
# Example: Apache mod_rewrite rule to block external referrers to sensitive endpoints
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
RewriteRule ^modules/groups-roles/mylist_function\.php$ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
