Vulnerability-Lookup

CVE-2026-32813 (GCVE-0-2026-32813)

Vulnerability from cvelistv5 – Published: 2026-03-20 02:09 – Updated: 2026-03-20 14:39

Title

Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

Summary

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.

Severity ?

8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Admidio/admidio/security/advis…	x_refsource_CONFIRM
	https://github.com/Admidio/admidio/commit/3473bf5…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Admidio	admidio	Affected: < 5.0.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32813",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T14:39:25.477961Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T14:39:28.844Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "admidio",
          "vendor": "Admidio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T02:09:07.610Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"
        },
        {
          "name": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f"
        }
      ],
      "source": {
        "advisory": "GHSA-3x67-4c2c-w45m",
        "discovery": "UNKNOWN"
      },
      "title": "Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32813",
    "datePublished": "2026-03-20T02:09:07.610Z",
    "dateReserved": "2026-03-16T17:35:36.696Z",
    "dateUpdated": "2026-03-20T14:39:28.844Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32813\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T02:16:35.210\",\"lastModified\":\"2026-03-23T15:25:42.963\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.\"},{\"lang\":\"es\",\"value\":\"Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. Las versiones 5.0.6 e inferiores son vulnerables a inyecci\u00f3n SQL arbitraria a trav\u00e9s de la caracter\u00edstica de configuraci\u00f3n MyList. La caracter\u00edstica de configuraci\u00f3n MyList permite a los usuarios autenticados definir dise\u00f1os de columnas de lista personalizados, almacenando nombres de columna, direcciones de ordenaci\u00f3n y condiciones de filtro proporcionados por el usuario en la tabla adm_list_columns a trav\u00e9s de sentencias preparadas. Sin embargo, estos valores almacenados se leen posteriormente y se interpolan directamente en consultas SQL construidas din\u00e1micamente sin sanitizaci\u00f3n ni parametrizaci\u00f3n, creando una vulnerabilidad de inyecci\u00f3n SQL de segundo orden cl\u00e1sica (escritura segura, lectura insegura). Un atacante puede explotar esto para inyectar SQL arbitrario, potencialmente leyendo, modificando o eliminando cualquier dato en la base de datos y logrando un compromiso total de la base de datos. Este problema ha sido corregido en la versi\u00f3n 5.0.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.0.7\",\"matchCriteriaId\":\"3347E657-D132-4D87-A355-391136657A27\"}]}]}],\"references\":[{\"url\":\"https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32813\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T14:39:25.477961Z\"}}}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T14:39:19.781Z\"}}], \"cna\": {\"title\": \"Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)\", \"source\": {\"advisory\": \"GHSA-3x67-4c2c-w45m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Admidio\", \"product\": \"admidio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.0.7\"}]}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m\", \"name\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f\", \"name\": \"https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T02:09:07.610Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32813\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T14:39:28.844Z\", \"dateReserved\": \"2026-03-16T17:35:36.696Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T02:09:07.610Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-32813

Vulnerability from fkie_nvd - Published: 2026-03-20 02:16 - Updated: 2026-03-23 15:25

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f	Patch
security-advisories@github.com	https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	admidio	admidio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27",
              "versionEndExcluding": "5.0.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7."
    },
    {
      "lang": "es",
      "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. Las versiones 5.0.6 e inferiores son vulnerables a inyecci\u00f3n SQL arbitraria a trav\u00e9s de la caracter\u00edstica de configuraci\u00f3n MyList. La caracter\u00edstica de configuraci\u00f3n MyList permite a los usuarios autenticados definir dise\u00f1os de columnas de lista personalizados, almacenando nombres de columna, direcciones de ordenaci\u00f3n y condiciones de filtro proporcionados por el usuario en la tabla adm_list_columns a trav\u00e9s de sentencias preparadas. Sin embargo, estos valores almacenados se leen posteriormente y se interpolan directamente en consultas SQL construidas din\u00e1micamente sin sanitizaci\u00f3n ni parametrizaci\u00f3n, creando una vulnerabilidad de inyecci\u00f3n SQL de segundo orden cl\u00e1sica (escritura segura, lectura insegura). Un atacante puede explotar esto para inyectar SQL arbitrario, potencialmente leyendo, modificando o eliminando cualquier dato en la base de datos y logrando un compromiso total de la base de datos. Este problema ha sido corregido en la versi\u00f3n 5.0.7."
    }
  ],
  "id": "CVE-2026-32813",
  "lastModified": "2026-03-23T15:25:42.963",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T02:16:35.210",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-3X67-4C2C-W45M

Vulnerability from github – Published: 2026-03-16 21:19 – Updated: 2026-03-20 21:19

Summary

Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

Details

Summary

The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the adm_list_columns table via prepared statements (safe storage), but are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization. This is a classic second-order SQL injection: safe write, unsafe read.

An attacker can inject arbitrary SQL through these stored values to read, modify, or delete any data in the database, potentially achieving full database compromise.

Details

Step 1: Storing the Payload (Safe Write)

In modules/groups-roles/mylist_function.php (lines 89-115), user-supplied POST array values for column names, sort directions, and filter conditions are accepted. The only validation on column values is a prefix check (must start with usr_ or mem_). Sort and condition values have no validation at all. These values are stored in the database via ListConfiguration::addColumn() which calls Entity::save() using prepared statements -- so the INSERT/UPDATE is safe.

Key source file references: - D:\bugcrowd\admidio\repo\modules\groups-roles\mylist_function.php lines 89-115 - D:\bugcrowd\admidio\repo\src\Roles\Entity\ListConfiguration.php lines 106-116

Step 2: Triggering the Payload (Unsafe Read)

When the list is viewed (via lists_show.php), ListConfiguration::getSql() reads the stored values and interpolates them directly into SQL in four locations:

Injection Point 1 -- lsc_special_field in SELECT clause: File D:\bugcrowd\admidio\repo\src\Roles\Entity\ListConfiguration.php lines 739-770. The lsc_special_field value is read from the database and used as a column name in the SELECT clause. Only three values (mem_duration, mem_begin, mem_end) get special handling; all others fall through to the default case where the raw value is used directly as both $dbColumnName and $sqlColumnName, then interpolated into the SQL as $dbColumnName AS $sqlColumnName.

Injection Point 2 -- lsc_sort in ORDER BY clause: File D:\bugcrowd\admidio\repo\src\Roles\Entity\ListConfiguration.php lines 790-792. The lsc_sort value is appended directly after the column name in the ORDER BY clause.

Injection Point 3 -- lsc_special_field in search conditions: File D:\bugcrowd\admidio\repo\src\Roles\Entity\ListConfiguration.php lines 611-621. The lsc_special_field value is interpolated into COALESCE() expressions used in search WHERE conditions.

Injection Point 4 -- lsc_filter via ConditionParser: File D:\bugcrowd\admidio\repo\src\Roles\ValueObject\ConditionParser.php line 347. The ConditionParser appends raw characters from the stored filter value to the SQL string. A single quote can break out of the SQL string context.

Root Cause

The addColumn() method and mylist_function.php accept arbitrary strings for column names, sort directions, and filter conditions. The only gate for column names is a prefix check (usr_ or mem_), which is trivially satisfied by an attacker (e.g., usr_id) UNION SELECT ...). No allowlist of valid column names exists. No server-side validation of sort values exists (should only allow ASC/DESC/empty). The frontend <select> element only offers ASC/DESC, but this is trivially bypassed by POSTing arbitrary values.

PoC

Prerequisites: Logged-in user with list edit permission (default: all logged-in users).

Step 1: Save a list config with SQL injection in lsc_special_field

curl -X POST "https://TARGET/adm_program/modules/groups-roles/mylist_function.php?mode=save_temporary" \
  -H "Cookie: ADMIDIO_SESSION_ID=<session>" \
  -d "adm_csrf_token=<csrf_token>" \
  -d "column[]=usr_login_name" \
  -d "column[]=usr_id FROM adm_users)--" \
  -d "sort[]=" \
  -d "sort[]=" \
  -d "condition[]=" \
  -d "condition[]=" \
  -d "sel_roles[]=<valid_role_uuid>"

The second column value usr_id FROM adm_users)-- starts with usr_ so it passes the prefix check. When read back in getSql(), it is interpolated directly as a column expression in the SQL SELECT clause.

Step 2: Sort-based injection (simpler, no prefix check needed)

curl -X POST "https://TARGET/adm_program/modules/groups-roles/mylist_function.php?mode=save_temporary" \
  -H "Cookie: ADMIDIO_SESSION_ID=<session>" \
  -d "adm_csrf_token=<csrf_token>" \
  -d "column[]=usr_login_name" \
  -d "sort[]=ASC,(SELECT+CASE+WHEN+(1=1)+THEN+1+ELSE+1/0+END)" \
  -d "condition[]=" \
  -d "sel_roles[]=<valid_role_uuid>"

This injects into the ORDER BY clause. The sort value has zero server-side validation.

Step 3: The save_temporary mode automatically redirects to lists_show.php which calls ListConfiguration::getSql(), executing the injected SQL.

Impact

Data Exfiltration: An attacker can extract any data from the database including password hashes, email addresses, personal data of all members, and application configuration.
Data Modification: With stacked queries (supported by MySQL with PDO), the attacker can modify or delete data.
Privilege Escalation: Password hashes can be extracted and cracked, or admin accounts can be directly modified.
Full Database Compromise: The entire database is accessible through this vulnerability.

The attack requires authentication and CSRF token, but: 1. Any logged-in user has this permission by default (when groups_roles_edit_lists = 1). 2. The CSRF token is available in the same session. 3. The injected payload persists in the database and triggers every time anyone views the list.

Recommended Fix

Fix 1: Allowlist for lsc_special_field

Add a strict allowlist of valid special field names before calling addColumn() in mylist_function.php. The list should match exactly the field names supported in getSql() and the JavaScript on mylist.php.

Fix 2: Validate lsc_sort values

In ListConfiguration::addColumn(), validate that the sort parameter is one of ASC, DESC, or empty string before storing it.

Fix 3: Defense-in-depth validation in ListConfiguration::getSql()

Also validate the lsc_special_field value against an allowlist in getSql() before interpolating it into the SQL string. This protects against payloads already stored in the database.

Fix 4: Escape filter values in ConditionParser

Use parameterized queries or at minimum escape single quotes in ConditionParser::makeSqlStatement().

Severity ?

8.0 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T21:19:09Z",
    "nvd_published_at": "2026-03-20T02:16:35Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the `adm_list_columns` table via prepared statements (safe storage), but are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization. This is a classic second-order SQL injection: safe write, unsafe read.\n\nAn attacker can inject arbitrary SQL through these stored values to read, modify, or delete any data in the database, potentially achieving full database compromise.\n\n## Details\n\n### Step 1: Storing the Payload (Safe Write)\n\nIn `modules/groups-roles/mylist_function.php` (lines 89-115), user-supplied POST array values for column names, sort directions, and filter conditions are accepted. The only validation on column values is a prefix check (must start with `usr_` or `mem_`). Sort and condition values have no validation at all. These values are stored in the database via `ListConfiguration::addColumn()` which calls `Entity::save()` using prepared statements -- so the INSERT/UPDATE is safe.\n\nKey source file references:\n- `D:\\bugcrowd\\admidio\\repo\\modules\\groups-roles\\mylist_function.php` lines 89-115\n- `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\Entity\\ListConfiguration.php` lines 106-116\n\n### Step 2: Triggering the Payload (Unsafe Read)\n\nWhen the list is viewed (via `lists_show.php`), `ListConfiguration::getSql()` reads the stored values and interpolates them directly into SQL in four locations:\n\n**Injection Point 1 -- lsc_special_field in SELECT clause:**\nFile `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\Entity\\ListConfiguration.php` lines 739-770.\nThe `lsc_special_field` value is read from the database and used as a column name in the SELECT clause. Only three values (`mem_duration`, `mem_begin`, `mem_end`) get special handling; all others fall through to the `default` case where the raw value is used directly as both `$dbColumnName` and `$sqlColumnName`, then interpolated into the SQL as `$dbColumnName AS $sqlColumnName`.\n\n**Injection Point 2 -- lsc_sort in ORDER BY clause:**\nFile `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\Entity\\ListConfiguration.php` lines 790-792.\nThe `lsc_sort` value is appended directly after the column name in the ORDER BY clause.\n\n**Injection Point 3 -- lsc_special_field in search conditions:**\nFile `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\Entity\\ListConfiguration.php` lines 611-621.\nThe `lsc_special_field` value is interpolated into COALESCE() expressions used in search WHERE conditions.\n\n**Injection Point 4 -- lsc_filter via ConditionParser:**\nFile `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\ValueObject\\ConditionParser.php` line 347.\nThe ConditionParser appends raw characters from the stored filter value to the SQL string. A single quote can break out of the SQL string context.\n\n### Root Cause\n\nThe `addColumn()` method and `mylist_function.php` accept arbitrary strings for column names, sort directions, and filter conditions. The only gate for column names is a prefix check (`usr_` or `mem_`), which is trivially satisfied by an attacker (e.g., `usr_id) UNION SELECT ...`). No allowlist of valid column names exists. No server-side validation of sort values exists (should only allow ASC/DESC/empty). The frontend `\u003cselect\u003e` element only offers ASC/DESC, but this is trivially bypassed by POSTing arbitrary values.\n\n## PoC\n\n**Prerequisites:** Logged-in user with list edit permission (default: all logged-in users).\n\n**Step 1: Save a list config with SQL injection in lsc_special_field**\n\n```\ncurl -X POST \"https://TARGET/adm_program/modules/groups-roles/mylist_function.php?mode=save_temporary\" \\\n  -H \"Cookie: ADMIDIO_SESSION_ID=\u003csession\u003e\" \\\n  -d \"adm_csrf_token=\u003ccsrf_token\u003e\" \\\n  -d \"column[]=usr_login_name\" \\\n  -d \"column[]=usr_id FROM adm_users)--\" \\\n  -d \"sort[]=\" \\\n  -d \"sort[]=\" \\\n  -d \"condition[]=\" \\\n  -d \"condition[]=\" \\\n  -d \"sel_roles[]=\u003cvalid_role_uuid\u003e\"\n```\n\nThe second column value `usr_id FROM adm_users)--` starts with `usr_` so it passes the prefix check. When read back in `getSql()`, it is interpolated directly as a column expression in the SQL SELECT clause.\n\n**Step 2: Sort-based injection (simpler, no prefix check needed)**\n\n```\ncurl -X POST \"https://TARGET/adm_program/modules/groups-roles/mylist_function.php?mode=save_temporary\" \\\n  -H \"Cookie: ADMIDIO_SESSION_ID=\u003csession\u003e\" \\\n  -d \"adm_csrf_token=\u003ccsrf_token\u003e\" \\\n  -d \"column[]=usr_login_name\" \\\n  -d \"sort[]=ASC,(SELECT+CASE+WHEN+(1=1)+THEN+1+ELSE+1/0+END)\" \\\n  -d \"condition[]=\" \\\n  -d \"sel_roles[]=\u003cvalid_role_uuid\u003e\"\n```\n\nThis injects into the ORDER BY clause. The sort value has zero server-side validation.\n\n**Step 3:** The `save_temporary` mode automatically redirects to `lists_show.php` which calls `ListConfiguration::getSql()`, executing the injected SQL.\n\n## Impact\n\n- **Data Exfiltration:** An attacker can extract any data from the database including password hashes, email addresses, personal data of all members, and application configuration.\n- **Data Modification:** With stacked queries (supported by MySQL with PDO), the attacker can modify or delete data.\n- **Privilege Escalation:** Password hashes can be extracted and cracked, or admin accounts can be directly modified.\n- **Full Database Compromise:** The entire database is accessible through this vulnerability.\n\nThe attack requires authentication and CSRF token, but:\n1. Any logged-in user has this permission by default (when `groups_roles_edit_lists = 1`).\n2. The CSRF token is available in the same session.\n3. The injected payload persists in the database and triggers every time anyone views the list.\n\n## Recommended Fix\n\n### Fix 1: Allowlist for lsc_special_field\n\nAdd a strict allowlist of valid special field names before calling `addColumn()` in `mylist_function.php`. The list should match exactly the field names supported in `getSql()` and the JavaScript on `mylist.php`.\n\n### Fix 2: Validate lsc_sort values\n\nIn `ListConfiguration::addColumn()`, validate that the sort parameter is one of ASC, DESC, or empty string before storing it.\n\n### Fix 3: Defense-in-depth validation in ListConfiguration::getSql()\n\nAlso validate the `lsc_special_field` value against an allowlist in `getSql()` before interpolating it into the SQL string. This protects against payloads already stored in the database.\n\n### Fix 4: Escape filter values in ConditionParser\n\nUse parameterized queries or at minimum escape single quotes in `ConditionParser::makeSqlStatement()`.",
  "id": "GHSA-3x67-4c2c-w45m",
  "modified": "2026-03-20T21:19:34Z",
  "published": "2026-03-16T21:19:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Admidio/admidio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32813 (GCVE-0-2026-32813)

FKIE_CVE-2026-32813

GHSA-3X67-4C2C-W45M

Summary

Details

Step 1: Storing the Payload (Safe Write)

Step 2: Triggering the Payload (Unsafe Read)

Root Cause

PoC

Impact

Recommended Fix

Fix 1: Allowlist for lsc_special_field

Fix 2: Validate lsc_sort values

Fix 3: Defense-in-depth validation in ListConfiguration::getSql()

Fix 4: Escape filter values in ConditionParser

Tags

Sightings

Nomenclature