CVE-2026-34381

HIGH EPSS 43.1%
Published Mar 31, 20263mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Mar 31, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
43.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-284

Affected Products 1

VendorProductVersionRange
admidioadmidio*≥5.0.0  –  <5.0.8

References 2

  • github.com https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf
    Patch
  • github.com https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf
    Patch