CVE-2026-34381
Published: 31 March 2026
Summary
CVE-2026-34381 is a high-severity Improper Access Control (CWE-284) vulnerability in Admidio Admidio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes and enforces secure configuration settings for Apache in the Docker image to enable .htaccess processing and deny direct HTTP access to uploaded documents.
Enforces approved access control policies at the application and web server level to prevent unauthenticated direct access to protected uploaded files regardless of UI permissions.
Manages and monitors publicly accessible content to prevent unauthorized disclosure of sensitive uploaded documents exposed via known file paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in public-facing Admidio web app (Docker/Apache) allows unauthenticated remote file access to uploaded documents, directly enabling T1190 Exploit Public-Facing Application.
NVD Description
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache…
more
to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.
Deeper analysisAI
CVE-2026-34381 is an improper access control vulnerability (CWE-284) in Admidio, an open-source user management solution. It affects versions 5.0.0 through 5.0.7 when deployed using the official Docker image. Admidio relies on an .htaccess file in the adm_my_files directory to deny direct HTTP access to uploaded documents in the documents module. However, the Docker image's Apache configuration sets AllowOverride None, causing Apache to ignore all .htaccess files silently. As a result, uploaded files are exposed regardless of UI-configured role-based permissions.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By knowing the file path—disclosed in the JSON response from the upload endpoint—the attacker can directly access any uploaded document via HTTP, bypassing authentication and permissions. This yields high confidentiality impact (C:H) with no integrity or availability disruption (I:N/A:N), earning a CVSS v3.1 base score of 7.5 (S:U).
Admidio patched the issue in version 5.0.8. The GitHub security advisory GHSA-7fh7-8xqm-3g88 and patching commit (5f770c1ca81a4f6b02136280cd63316a35aabaaf) provide further details on the fix. Organizations using affected Docker deployments should upgrade immediately to mitigate exposure of sensitive uploaded files.
Details
- CWE(s)