Arbitrary SQL Injection Vulnerability in Admidio User Management Solution
CVE-2026-32813

8HIGH

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-32813?

Admidio, an open-source user management solution, suffers from a serious security flaw in its MyList configuration feature. Specifically, versions 5.0.6 and below are vulnerable to arbitrary SQL injection due to inadequate sanitization of user-defined values stored in the adm_list_columns table. Authenticated users can manipulate list column layouts, which are then directly integrated into SQL queries upon retrieval. This unsafe read method allows attackers to inject malicious SQL code, potentially leading to unauthorized access, modification, or deletion of database records. The vulnerability has been addressed and patched in version 5.0.7, highlighting the importance of upgrading to ensure data integrity and security.

Affected Version(s)

admidio < 5.0.7

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 16, 2026

CVE-2026-32813 Data

JSON