CVE-2026-41663: Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send

April 29, 2026 (updated May 8, 2026)

Several administrative operations in Admidio’s preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page.

References

github.com/Admidio/admidio/releases/tag/v5.0.9
github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j
github.com/advisories/GHSA-rw74-vc9h-534j
nvd.nist.gov/vuln/detail/CVE-2026-41663

Code Behaviors & Features

Detect and mitigate CVE-2026-41663 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →