PhpMyAdmin exposure of sensitive information
Description
PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PhpMyAdmin 5.1.1 and earlier allows information disclosure via crafted requests to the lang, pma_parameter, or cookie parameters.
Vulnerability
PhpMyAdmin versions 5.1.1 and earlier, as well as the 4.9.x branch (in extended security support), contain an information disclosure vulnerability. By crafting invalid requests targeting the lang parameter, the pma_parameter, or the cookie section, an attacker can trigger error messages that reveal sensitive information, such as the server's filesystem path. [1][2] The issue is exacerbated when the PHP display_errors directive is enabled, which is not recommended for production environments. [2]
Exploitation
An attacker can send specially crafted HTTP requests to a phpMyAdmin instance. The requests must include malformed values for the lang parameter, the pma_parameter, or the cookie section. No authentication is required, as these parameters are processed before authentication. The attack is more likely to succeed if the server has display_errors enabled, causing PHP error messages to be output directly. [2] The attacker does not need any special network position beyond being able to reach the phpMyAdmin web interface.
Impact
Successful exploitation results in the disclosure of potentially sensitive information, such as the absolute filesystem path where phpMyAdmin is installed. This information can aid an attacker in further attacks, such as path traversal or local file inclusion. The vulnerability does not directly allow code execution or privilege escalation, but the leaked path reduces the attacker's uncertainty about the server environment. [1][2]
Mitigation
The vulnerability is fixed in phpMyAdmin versions 4.9.10 and 5.1.3, released on February 11, 2022. [2] Users should upgrade to these versions or later. For those unable to upgrade, a workaround is to ensure that the PHP display_errors directive is set to Off in production environments, which reduces the risk of information leakage. [2] The Gentoo security advisory (GLSA 202311-17) recommends upgrading to version 5.2.0. [3] No known workaround exists beyond disabling error display and upgrading.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | < 5.1.3 | 5.1.3 |
Affected products
5- osv-coords4 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP4
< 5.1.2+ 3 more
- (no CPE)range: < 5.1.2
- (no CPE)range: < 5.1.3
- (no CPE)range: < 5.2.1-bp154.2.3.1
- (no CPE)range: < 5.2.1-bp154.2.3.1
- Range: 5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-vx8q-j7h9-vf6qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0813ghsaADVISORY
- security.gentoo.org/glsa/202311-17ghsavendor-advisoryWEB
- www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-releasedghsaWEB
- www.incibe-cert.es/en/early-warning/security-advisories/phpmyadmin-exposure-sensitive-informationmitre
- www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-released/mitre
News mentions
0No linked articles in our index yet.