CVE-2026-34381

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-34381
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34381.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34381
Aliases
Published
2026-03-31T20:31:23.379Z
Modified
2026-04-02T13:30:12.497922Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
Details

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on admmyfiles/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.

Database specific 
{
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34381.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/admidio/admidio

Affected ranges

Type
GIT
Repo
https://github.com/admidio/admidio
Events
Introduced
59b4888d2be8acb9801f3024258663f7a787518c
Fixed
3833691ef1746e92b0e009dace220049caa65806
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.8"
        }
    ]
}

Affected versions

Other
v34
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34381.json"