CVE-2026-34384 Overview
Admidio, an open-source user management solution, contains a Cross-Site Request Forgery (CSRF) vulnerability in its user registration approval workflow. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php process pending user registration approvals via GET requests without validating CSRF tokens. This architectural flaw allows attackers to bypass the manual registration approval workflow entirely by tricking administrators into visiting maliciously crafted URLs.
Critical Impact
An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then craft a malicious link that automatically approves their registration when clicked by any user with the rol_approve_users privilege, completely bypassing organizational access controls.
Affected Products
- Admidio versions prior to 5.0.8
- Installations using the registration approval workflow
- Systems where users with rol_approve_users rights process pending registrations
Discovery Timeline
- 2026-03-31 - CVE-2026-34384 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34384
Vulnerability Analysis
The vulnerability exists in the registration approval logic within modules/registration.php. While the delete_user mode in the same file correctly validates CSRF tokens before processing requests, the create_user, assign_member, and assign_user action modes fail to implement the same security control. These approval actions read their parameters from the $_GET superglobal and perform irreversible state changes—specifically, elevating pending registrations to approved user accounts—without any CSRF protection.
The attack surface is particularly concerning because the user UUID required for exploitation is not secret; it is exposed to the attacker in the registration confirmation email URL they receive after submitting their registration request. This creates a self-serve attack scenario where the attacker possesses all information needed to craft a malicious approval URL.
Root Cause
The root cause is inconsistent CSRF token validation across different action modes within the same PHP module. The development team implemented proper CSRF protection for the delete_user operation but overlooked the equally sensitive approval operations (create_user, assign_member, assign_user). These approval endpoints accept GET requests, which are inherently susceptible to CSRF attacks since they can be triggered by simply loading a URL in an image tag, link click, or redirect.
Attack Vector
The attack follows a straightforward exploitation path leveraging network-based delivery. An attacker submits a registration request to the target Admidio instance, then extracts their user UUID from the confirmation email. They construct a malicious URL targeting the vulnerable approval endpoints and deliver this URL to any user with the rol_approve_users privilege through phishing emails, social engineering, or embedding the URL in external web pages. When the privileged user visits the crafted URL while authenticated to Admidio, the approval action executes without their knowledge or consent.
The following patch shows how CSRF token validation was added to the assign_member and assign_user action modes:
$page->createContentAssignUser($registrationUser, true);
$page->show();
} elseif (in_array($getMode, array('assign_member', 'assign_user'))) {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
+
$registrationService = new RegistrationService($gDb, $getUserUUID);
$message = $registrationService->assignRegistration($getUserUUIDAssigned, $getMode === 'assign_member');
Source: GitHub Commit Update
Similarly, the profile_new.php module was patched to validate CSRF tokens for registration acceptance:
foreach ($getUserUuids as $userUuid) {
// read user data
if (!$gValidLogin || $getAcceptRegistration) {
+ if ($getAcceptRegistration) {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
+ }
+
// create a user registration object and set requested organization
$user = new UserRegistration($gDb, $gProfileFields);
$user->readDataByUuid($userUuid);
Source: GitHub Commit Update
Detection Methods for CVE-2026-34384
Indicators of Compromise
- Unexpected user account approvals without corresponding administrative action in audit logs
- Web server access logs showing GET requests to registration.php with mode=create_user, mode=assign_member, or mode=assign_user parameters from external referrers
- New user accounts appearing with registration approval timestamps that don't correlate with administrator activity
- Referrer headers in access logs pointing to external domains for registration approval requests
Detection Strategies
- Monitor HTTP access logs for GET requests to /modules/registration.php containing approval action modes (create_user, assign_member, assign_user) with suspicious referrer headers
- Implement alerting for user registration approvals occurring outside of normal administrative hours or from unusual IP addresses
- Cross-reference user approval events with administrator session activity to identify approvals that occurred without legitimate administrative context
- Deploy web application firewall (WAF) rules to flag registration approval requests originating from cross-origin contexts
Monitoring Recommendations
- Enable detailed logging for all user registration and approval events within Admidio's administrative interface
- Configure SIEM correlation rules to detect registration approvals that lack corresponding administrator-initiated session activity
- Implement periodic audits of newly approved user accounts against expected registration patterns
- Monitor for spikes in registration approval activity that may indicate automated exploitation attempts
How to Mitigate CVE-2026-34384
Immediate Actions Required
- Upgrade Admidio to version 5.0.8 or later immediately, as this version includes the security patch
- Review all user accounts approved in the period prior to patching for unauthorized registrations
- Temporarily disable public registration functionality if immediate patching is not possible
- Alert users with rol_approve_users privileges about the CSRF risk and instruct them to avoid clicking untrusted links while authenticated
Patch Information
The vulnerability has been patched in Admidio version 5.0.8. The fix implements proper CSRF token validation by requiring the adm_csrf_token parameter to be submitted via POST and validated against the session token using the SecurityUtils::validateCsrfToken() function. This ensures that approval actions can only be triggered by legitimate form submissions from within the Admidio interface.
Patch commit 707171c188b3e8f36007fc3f2bccbfac896ed019 addresses this vulnerability. See the GitHub Security Advisory for complete details.
Workarounds
- Restrict access to the registration module by implementing IP-based access controls at the web server or firewall level
- Require administrators to use separate browser profiles or incognito sessions when reviewing pending registrations
- Implement additional authentication requirements (e.g., re-authentication) before processing registration approvals at the reverse proxy level
- Configure Content Security Policy headers to restrict the contexts from which Admidio pages can be loaded
# Example Apache configuration to restrict registration module access
<Location "/modules/registration.php">
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
