Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9.

INFO

Published Date :

2026-05-07T02:58:27.557Z

Last Modified :

2026-05-07T13:56:16.154Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41658 vulnerability.

Vendors Products
Admidio
  • Admidio
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41658.

URL Resource
https://github.com/Admidio/admidio/releases/tag/v5.0.9 cve-icon cve-icon
https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact