Cyber Resilience

CVE-2026-32813

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32813 is a high-severity SQL Injection (CWE-89) vulnerability in Admidio Admidio. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Admidio, an open-source user management solution, is affected by CVE-2026-32813, an arbitrary SQL injection vulnerability in versions 5.0.6 and prior. The issue arises in the MyList configuration feature, which allows authenticated users to define custom list column layouts by supplying column names, sort directions, and filter conditions. These inputs are safely stored in the adm_list_columns table using prepared statements during write operations. However, when retrieved, the values are directly interpolated into dynamically constructed SQL queries without sanitization or parameterization, enabling a classic second-order SQL injection (safe write, unsafe read) classified under CWE-89.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction such as configuring a MyList. By crafting malicious inputs during the configuration step, the attacker can trigger SQL injection in subsequent queries that read from the adm_list_columns table. Successful exploitation grants arbitrary SQL execution, allowing the attacker to read, modify, or delete any data in the database, resulting in full database compromise with high confidentiality, integrity, and availability impacts (CVSS 8.0: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

The vulnerability has been addressed in Admidio version 5.0.7, as detailed in the project's GitHub security advisory (GHSA-3x67-4c2c-w45m) and the corresponding fix commit (3473bf5a7aa1bfc5043e73979719396276f4189f). Security practitioners should prioritize upgrading affected installations to the patched version to mitigate the risk.

EU & UK References

Vulnerability details

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions,…

more

and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remotely exploitable SQL injection flaw in a web-based user management application (Admidio) reachable over the network. This directly maps to T1190 (Exploit Public-Facing Application), where an authenticated attacker supplies malicious column/filter values that are later unsafely interpolated into SQL, enabling arbitrary database read/write/delete operations.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34381Same product: Admidio Admidio
CVE-2026-34384Same product: Admidio Admidio
CVE-2026-32756Same product: Admidio Admidio
CVE-2026-32817Same product: Admidio Admidio
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89

Affected Assets

admidio
admidio
≤ 5.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied column names, sort directions, and filter conditions retrieved from adm_list_columns before interpolating into dynamic SQL queries, directly preventing second-order SQL injection.

prevent

Mandates timely flaw remediation by upgrading to Admidio version 5.0.7, which fixes the unsafe read and interpolation of stored inputs.

detect

Vulnerability scanning identifies SQL injection flaws like this second-order vulnerability in the MyList feature prior to exploitation.

References