CVE-2026-34384
Published: 31 March 2026
Summary
CVE-2026-34384 is a medium-severity CSRF (CWE-352) vulnerability in Admidio Admidio. Its CVSS base score is 4.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires session authenticity mechanisms such as CSRF tokens to prevent unauthorized state-changing requests like forged GET approvals for user registrations.
SI-10 mandates validation of information inputs including GET parameters to ensure required CSRF tokens are present before executing irreversible approval actions.
SI-2 requires timely remediation of flaws like the missing CSRF token validation in registration approval functions, directly addressing exploitation of this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing web app (Admidio) enables exploitation via crafted malicious URL visited by privileged user (T1190: Exploit Public-Facing Application; T1204.001: Malicious Link) to bypass approval and gain unauthorized account access.
NVD Description
Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file…
more
(which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8.
Deeper analysisAI
CVE-2026-34384 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in Admidio, an open-source user management solution. Versions prior to 5.0.8 are affected, specifically the create_user, assign_member, and assign_user action modes in modules/registration.php. These modes approve pending user registrations through GET requests that read parameters from $_GET and execute irreversible state changes without CSRF token validation, unlike the delete_user mode in the same file which properly checks the token.
An attacker who submits a pending registration can extract their user UUID from the registration confirmation email URL and craft a malicious URL. By tricking any authenticated user with the rol_approve_users permission into visiting this URL, the attacker bypasses the manual registration approval workflow, resulting in automatic approval of their account. The CVSS v3.1 base score is 4.5 (AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N), reflecting network accessibility, low attack complexity, requirement for high privileges and user interaction, and high integrity impact with no confidentiality or availability effects.
Admidio has patched this issue in version 5.0.8. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22 and the patch commit at https://github.com/Admidio/admidio/commit/707171c188b3e8f36007fc3f2bccbfac896ed019.
Details
- CWE(s)