Admidio: Nine CVEs Disclosed Together — IDOR, CSRF, and Auth Bypass Flaws
Nine vulnerabilities hit the open-source membership management platform Admidio on May 29, 2026, spanning IDOR in file operations, missing CSRF tokens on sensitive actions, and an incomplete authorization fix that lets any logged-in user delete inventory fields.
Key findings
- Three IDOR bugs in documents-files.php let uploaders move, rename, and delete files across folders
- CSRF on SSO key export (CVE-2026-47232) can leak PKCS#12 bundles with private keys
- CVE-2026-47228 lets an attacker reset arbitrary user passwords via a cross-site request
- CVE-2026-47233 is an incomplete fix: inventory field deletion was left unguarded
- Debug logging (CVE-2026-47234) writes session IDs and auto-login cookies to logs
- All nine CVEs were disclosed within a 15-minute window on May 29, 2026
Nine security vulnerabilities were disclosed together on May 29, 2026, affecting Admidio, the open-source membership and organization management system written in PHP. The batch — published within a 15-minute window — clusters around three themes: insecure direct object references (IDOR) in the documents and files module, missing CSRF protections on sensitive administrative actions, and an incomplete authorization fix that leaves inventory field deletion exposed.
IDOR cluster in documents-files.php (CVEs 2026-47231, 2026-47230, 2026-47226)
Three of the nine CVEs share a common architectural flaw in modules/documents-files.php. The file's state-changing handlers validate upload rights against the folder_uuid URL parameter, but then operate on a *different* resource identified by file_uuid — with no cross-check that the target file belongs to the authorized folder.
CVE-2026-47231 (high severity) lets any folder-uploader move files out of private folders via the mode=move_save handler. The File::moveToFolder() method checks upload rights on the destination folder, not the source file's folder, so an attacker can exfiltrate files they should only be able to view. CVE-2026-47230 covers the same pattern for the file_rename_save handler, allowing cross-folder file renaming and description changes by unauthorized uploaders. CVE-2026-47226 extends the pattern to file deletion: an authenticated member with upload rights on any single folder can permanently delete files from folders where they have only view access, because the file_delete handler checks upload rights against the attacker-supplied folder_uuid rather than the target file's actual parent folder.
CSRF failures on sensitive actions (CVEs 2026-47232, 2026-47229, 2026-47228)
Three CVEs involve missing or bypassed Cross-Site Request Forgery protections on operations that should require explicit user intent.
CVE-2026-47232 is the most severe: the mode=export action in modules/sso/keys.php exports a PKCS#12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out in the source. A forged cross-site POST from an administrator's browser can silently exfiltrate the organization's SSO signing key material. CVE-2026-47229 targets the SSO client enable action in modules/sso/clients.php — every state-changing branch validates an adm_csrf_token except the enable case, which is also reachable via plain GET parameters, making it trivially exploitable via an <img> tag or link. CVE-2026-47228 affects modules/registration.php mode send_login, which regenerates a random password for a user specified by user_uuid_assigned, stores its bcrypt hash, and emails the cleartext to that user. Every other state-changing mode in the same file calls checkCsrfToken(), but send_login does not, enabling a cross-site request to reset an arbitrary user's password without their knowledge.
Authorization bypasses and incomplete fixes (CVEs 2026-47233, 2026-47227, 2026-47234)
CVE-2026-47233 documents an incomplete fix of a prior issue. Commit d37ca6b27b9674238e58491cf7ba292e66898f15 (April 12, 2026) added an isAdministratorInventory() gate to the case 'item_delete': handler in modules/inventory.php, but the sibling case 'field_delete': handler was left unguarded. Any logged-in user can therefore delete inventory field definitions — a privilege that should be reserved for inventory administrators.
CVE-2026-47227 describes a dead-code authorization check in modules/categories.php. The script verifies that the supplied type parameter corresponds to a module the actor administers, but the follow-up check at lines 56-61 is dead code because it compares $getType (a category-type code) against mode names rather than the actual category owner. A module-administrator can delete or reorder categories owned by other modules.
CVE-2026-47234 is a logging exposure: when debug logging is enabled, Session::setCookie() logs full cookie values and Session::start() logs the current session ID. In a real deployment this includes both the active session cookie and the persistent auto-login cookie. Anyone with access to the log sink — whether a local administrator, a SIEM operator, or an attacker who has compromised the server — can recover live bearer-style credentials.
Patch status and response
Admidio maintainers have been notified and the issues are addressed in the latest release. Users should upgrade to the most recent version of Admidio immediately. For deployments where an immediate upgrade is not possible, administrators should disable debug logging (to mitigate CVE-2026-47234), review SSO key export access, and consider additional access controls on the documents-files module until patching is complete.
Why this batch matters
This disclosure event is notable for its density of IDOR bugs in a single module — three of the nine CVEs share the same root cause in documents-files.php — and for the presence of a CSRF hole that can leak SSO private keys. Organizations using Admidio for membership management, especially those that have enabled SSO or store sensitive documents in the file module, should treat this batch as a priority upgrade.