CVE-2021-43008
Description
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vrana/adminerPackagist | >= 1.12.0, < 4.6.3 | 4.6.3 |
Affected products
2Patches
Vulnerability mechanics
Root cause
"Missing access control on file operations allows an attacker-controlled MySQL server to read arbitrary files from the Adminer host."
Attack vector
An attacker tricks an Adminer instance (running on a target server) into connecting to a remote MySQL database that the attacker controls. Because Adminer's connection logic does not properly restrict file access, the attacker can issue SQL commands (e.g., `LOAD DATA LOCAL INFILE`) that cause the Adminer server to read arbitrary local files and transmit their contents to the attacker's database server. This exploits the trust Adminer places in the remote database server's responses, combined with missing access controls on the local filesystem [CWE-552].
Affected code
The vulnerability affects Adminer versions 1.12.0 through 4.6.2. The product is a single-file PHP database management tool that allows connecting to remote databases. The flaw lies in how Adminer handles file access when establishing connections to a remote MySQL database server controlled by an attacker.
What the fix does
The advisory does not include a patch diff. The fix in version 4.6.3 addresses the improper access control by restricting how Adminer handles file operations during database connections. Without the patch source, the specific code changes cannot be detailed, but the remediation prevents the attacker-controlled MySQL server from triggering arbitrary file reads on the Adminer host.
Preconditions
- configAdminer version 1.12.0 through 4.6.2 must be deployed and accessible to the attacker
- networkAttacker must operate a remote MySQL database server that Adminer can be directed to connect to
- inputAttacker must be able to supply the connection parameters (host, credentials) to Adminer, or Adminer must accept connection parameters from the attacker
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-rxfq-3vpc-vv72ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43008ghsaADVISORY
- github.com/vrana/adminer/releases/tag/v4.6.3ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2022/05/msg00012.htmlghsamailing-listx_refsource_MLISTWEB
- podalirius.net/en/cves/2021-43008ghsaWEB
- podalirius.net/en/cves/2021-43008/mitrex_refsource_MISC
- sansec.io/research/adminer-4.6.2-file-disclosure-vulnerabilityghsax_refsource_MISCWEB
- www.adminer.orgghsaWEB
- www.adminer.orgmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.