CVE-2026-41658

MEDIUM 6.5

Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9.

CWE	CWE-862
Vendor	admidio
Product	admidio
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for admidio admidio

Be the first to know when new medium vulnerabilities affecting admidio admidio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

Admidio / admidio

< 5.0.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv github.com: https://github.com/Admidio/admidio/releases/tag/v5.0.9