CVE-2026-34384
- Source
- https://cve.org/CVERecord?id=CVE-2026-34384
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34384.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-34384
- Aliases
- Published
- 2026-03-31T20:34:37.789Z
- Modified
- 2026-04-10T05:43:01.633425Z
- Severity
-
- 4.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Admidio: Missing CSRF Protection on Registration Approval Actions
- Details
-
Admidio is an open-source user management solution. Prior to version 5.0.8, the createuser, assignmember, and assignuser action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the deleteuser mode in the same file (which correctly validates the token), these three approval actions read their parameters from $GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rolapprove_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34384.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-352" ] }- References