CVE-2026-34381

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.0 through 5.0.7

Description Admidio relies on .htaccess files to restrict direct HTTP access to uploaded documents. The Docker image is configured with AllowOverride None in the Apache configuration, causing these .htaccess files to be ignored. This allows anyone with knowledge of the file path to access uploaded files without authentication, regardless of role-based permissions set within the user interface. The file path is disclosed in the upload response JSON. The vulnerability bypasses role-based access control at the filesystem level, potentially exposing sensitive organizational documents like contracts, member data, and financial records. The upload API response discloses the direct URL to the uploader, simplifying path enumeration.

Recommendations Versions 5.0.0 through 5.0.7: Enable AllowOverride All in the Apache configuration for the /opt/app-root/src/adm my files directory. Versions 5.0.0 through 5.0.7: Move uploaded files to a directory outside the web root and serve them exclusively through Admidio’s download handler (modules/documents-files.php?mode=download). Versions 5.0.0 through 5.0.7: Configure an explicit deny rule at the Apache level for the /opt/app-root/src/adm my files directory.