CVE-2026-34381

Published: Mar 31, 2026 Last Modified: Mar 31, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: none

Availability: none

Description

AI Translation Available

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.

284

Improper Access Control

Incomplete

Abstraction: Pillar Structure: Simple

Common Consequences

Security Scopes Affected:

Other

Potential Impacts:

Varies By Context

Applicable Platforms

Technologies: ICS/OT, Not Technology-Specific, Web Based

View CWE Details

https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b0…

https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aab…

https://github.com/Admidio/admidio/security/advisories/GHSA…

https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88

CVE-2026-34381

Description

Improper Access Control

Common Consequences

Applicable Platforms

Iscriviti alla newsletter