CVE-2026-47234: Admidio writes session IDs and auto-login cookie values to application logs

May 29, 2026

When debug logging is enabled, Session::setCookie() logs full cookie values and Session::start() logs the current session ID. In a real Admidio deployment this includes both the active session cookie and the persistent auto-login cookie. Anyone with access to the log sink can recover live bearer-style credentials from the logs.

References

github.com/Admidio/admidio/security/advisories/GHSA-mch8-wf3h-6x88
github.com/advisories/GHSA-mch8-wf3h-6x88
nvd.nist.gov/vuln/detail/CVE-2026-47234

Code Behaviors & Features

Detect and mitigate CVE-2026-47234 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →