CVE-2026-32813: Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuratio...

Description

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.

Metrics

CVSS 3.1

8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.28%

19.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-89

Affected Software

Vendor	Product	Versions
Admidio	Admidio	< 5.0.7

References

https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189fPatch
https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45mExploit, Mitigation, Vendor Advisory
https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45mExploit, Mitigation, Vendor Advisory

Timeline

Published: Mar 20, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-32813?

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.

How severe is CVE-2026-32813?

CVE-2026-32813 has a CVSS score of 8/10 (HIGH severity). The EPSS model estimates a 0.28% probability of exploitation in the next 30 days.

How do I fix CVE-2026-32813?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.