PT-2026-37142 · Admidio · Admidio
Offset
·
Published
2026-04-29
·
Updated
2026-05-07
·
CVE-2026-41658
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Admidio versions prior to 5.0.9
Description
The inventory module fails to properly enforce authorization for destructive operations on the backend, relying instead on the UI layer to hide buttons from non-administrative users. While the system performs CSRF validation, it does not verify if the requesting user has inventory administrator privileges before executing actions. Consequently, any authenticated user with access to the inventory module can permanently delete inventory items and all associated data, as well as retire or reinstate items and manage item pictures.
Technical details include the following:
- API Endpoint: 'modules/inventory.php'
- Vulnerable Parameters:
item delete,item retire,item reinstate,item picture upload,item picture save, anditem picture delete - Vulnerable Function:
isAdministratorInventory()is not called to verify permissions before executing destructive tasks.
Recommendations
Update to version 5.0.9.
As a temporary workaround, restrict access to the 'modules/inventory.php' endpoint or the inventory module to only trusted administrative users.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Admidio