High severityCISA KEVNVD Advisory· Published Feb 11, 2021· Updated Oct 21, 2025
SSRF in adminer
CVE-2021-21311
Description
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected. This is fixed in version 4.7.9.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vrana/adminerPackagist | < 4.7.9 | 4.7.9 |
Affected products
1- vrana/adminerv5Range: >= 4.0.0, < 4.7.9
Patches
1ccd2374b0b12Elasticsearch, ClickHouse: Do not print response if HTTP code is not 200
3 files changed · +3 −2
adminer/drivers/clickhouse.inc.php+1 −1 modified@@ -22,7 +22,7 @@ function rootQuery($db, $query) { return $file; } if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) { - $this->error = $file; + $this->error = lang('Invalid credentials.') . " $http_response_header[0]"; return false; } $return = json_decode($file, true);
adminer/drivers/elastic.inc.php+1 −1 modified@@ -28,7 +28,7 @@ function rootQuery($path, $content = array(), $method = 'GET') { return $file; } if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) { - $this->error = $file; + $this->error = lang('Invalid credentials.') . " $http_response_header[0]"; return false; } $return = json_decode($file, true);
changes.txt+1 −0 modified@@ -1,4 +1,5 @@ Adminer 4.7.9-dev: +Elasticsearch, ClickHouse: Do not print response if HTTP code is not 200 Re-enable PHP warnings (regression from 4.7.8) Adminer 4.7.8 (released 2020-12-06):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-x5r2-hj5c-8jx6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21311ghsaADVISORY
- github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351ghsax_refsource_MISCWEB
- github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2021/03/msg00002.htmlghsamailing-listx_refsource_MLISTWEB
- packagist.org/packages/vrana/adminerghsax_refsource_MISCWEB
- sourceforge.net/p/adminer/news/2021/02/adminer-479-releasedghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
News mentions
0No linked articles in our index yet.