Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
Description
Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Admidio 5.0.6 and below have a second-order SQL injection in the MyList configuration feature, allowing authenticated attackers to compromise the database.
Admidio, an open-source user management system, is vulnerable to a second-order SQL injection in versions up to 5.0.6. The vulnerability resides in the MyList configuration feature, where authenticated users can define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the adm_list_columns table using prepared statements, ensuring safe storage. However, when the list is later displayed, these stored values are read back and directly interpolated into dynamically constructed SQL queries without any sanitization or parameterization, creating a classic second-order SQL injection (safe write, unsafe read) [1][3].
Exploitation occurs in two steps. First, an attacker with a valid account stores a malicious payload via the mylist_function.php module, where the only validation on column values is a prefix check (must start with usr_ or mem_); sort and filter values have no validation. Second, when the list is viewed via lists_show.php, the ListConfiguration::getSql() method reads the stored values and uses them directly in SQL SELECT, ORDER BY, and WHERE clauses. This allows the attacker to inject arbitrary SQL syntax at multiple points, including the lsc_special_field in the SELECT clause [2][3].
The impact is severe: an authenticated attacker can read, modify, or delete any data in the database, potentially achieving full database compromise [1][3]. The vulnerability does not require privileges beyond basic authentication, making it accessible to any user with the ability to configure list columns.
The issue has been fixed in Admidio version 5.0.7. Administrators are strongly advised to update to this patched version immediately [1][2]. The fix, visible in the commit at reference [2], modifies how special fields are handled and adds sanitization for stored values before their use in SQL queries. No known workarounds exist for unpatched versions.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | < 5.0.7 | 5.0.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3x67-4c2c-w45mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32813ghsaADVISORY
- github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189fghsax_refsource_MISCWEB
- github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.