Path Traversal Vulnerability in Admidio User Management Solution
CVE-2026-41656

4.5MEDIUM

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41656?

A vulnerability in the Admidio user management solution allows attackers to exploit the add mode in modules/documents-files.php by injecting unvalidated path traversal characters through a name parameter. This critical oversight, compounded by the absence of adequate CSRF protection and the use of SameSite=Lax session cookies, enables low-privileged attackers to craft malicious links. When an unsuspecting documents administrator clicks on such a link, the attacker can register arbitrary files, potentially exposing sensitive data like database credentials. This vulnerability has been addressed in version 5.0.9.

Affected Version(s)

admidio < 5.0.9

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Admidio/admidio/releases/tag/v5.0.9

x_refsource_MISC

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41656 Data

JSON