CVE-2026-34381
HIGH EPSS 43.1%
Published Mar 31, 20263mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
Published Mar 31, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago
Description
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
43.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-284
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| admidio | admidio | * | ≥5.0.0 – <5.0.8 |
References 2
- github.com https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf
- github.com https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88
Remediation
- github.com https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf