Nine CVEs Disclosed in Admidio Membership Platform: IDOR, CSRF, and Auth Bypass Flaws
Nine vulnerabilities were disclosed on May 29, 2026, in the open-source Admidio membership management system, including IDOR bugs, missing CSRF protections, and an incomplete authorization fix that could leak SSO private keys.
Nine security vulnerabilities were disclosed together on May 29, 2026, affecting Admidio, the open-source membership and organization management system written in PHP. The batch — published within a 15-minute window — clusters around three themes: insecure direct object references (IDOR) in the documents and files module, missing CSRF protections on sensitive administrative actions, and an incomplete authorization fix that leaves inventory field deletion exposed.
Three of the nine CVEs share a common architectural flaw in modules/documents-files.php. The file's state-changing handlers validate upload rights against the folder_uuid URL parameter, but then operate on a *different* resource identified by file_uuid — with no cross-check that the target file belongs to the authorized folder. CVE-2026-47231 (high severity) lets any folder-uploader move files out of private folders via the mode=move_save handler. CVE-2026-47230 covers the same pattern for the file_rename_save handler, allowing cross-folder file renaming and description changes by unauthorized uploaders. CVE-2026-47226 extends the pattern to file deletion: an authenticated member with upload rights on any single folder can permanently delete files from folders where they have only view access.
Three CVEs involve missing or bypassed Cross-Site Request Forgery protections on operations that should require explicit user intent. CVE-2026-47232 is the most severe: the mode=export action in modules/sso/keys.php exports a PKCS#12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out in the source. A forged cross-site POST from an administrator's browser can silently exfiltrate the organization's SSO signing key material. CVE-2026-47229 targets the SSO client enable action in modules/sso/clients.php — every state-changing branch validates an adm_csrf_token except the enable case, which is also reachable via plain GET parameters, making it trivially exploitable via an <img> tag or link. CVE-2026-47228 affects modules/registration.php mode send_login, which regenerates a random password for a user specified by user_uuid_assigned, stores its bcrypt hash, and emails the cleartext to that user. Every other state-changing mode in the same file calls checkCsrfToken(), but send_login does not, enabling a cross-site request to reset an arbitrary user's password without their knowledge.
CVE-2026-47233 documents an incomplete fix of a prior issue. Commit d37ca6b27b9674238e58491cf7ba292e66898f15 (April 12, 2026) added an isAdministratorInventory() gate to the case 'item_delete': handler in modules/inventory.php, but the sibling case 'field_delete': handler was left unguarded. Any logged-in user can therefore delete inventory field definitions — a privilege that should be reserved for inventory administrators. CVE-2026-47227 describes a dead-code authorization check in modules/categories.php, where a module-administrator can delete or reorder categories owned by other modules. CVE-2026-47234 is a logging exposure: when debug logging is enabled, Session::setCookie() logs full cookie values and Session::start() logs the current session ID, including the active session cookie and the persistent auto-login cookie. Anyone with access to the log sink can recover live bearer-style credentials.
Admidio maintainers have been notified and the issues are addressed in the latest release. Users should upgrade to the most recent version of Admidio immediately. For deployments where an immediate upgrade is not possible, administrators should disable debug logging (to mitigate CVE-2026-47234), review SSO key export access, and consider additional access controls on the documents-files module until patching is complete.
This disclosure event is notable for its density of IDOR bugs in a single module — three of the nine CVEs share the same root cause in documents-files.php — and for the presence of a CSRF hole that can leak SSO private keys. Organizations using Admidio for membership management, especially those that have enabled SSO or store sensitive documents in the file module, should treat this batch as a priority upgrade.