CVE-2026-47234

MEDIUMPre-NVD 4.44.4
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 4.4 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 97% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
4.4
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 4.4Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Admidio writes session IDs and auto-login cookie values to application logs

Summary

When debug logging is enabled, Session::setCookie() logs full cookie values and Session::start() logs the current session ID. In a real Admidio deployment this includes both the active session cookie and the persistent auto-login cookie. Anyone with access to the log sink can recover live bearer-style credentials from the logs.

Vulnerable Code Links

  • https://github.com/Admidio/admidio/blob/v5.0.9/src/Session/Entity/Session.php#L533-L540
  • https://github.com/Admidio/admidio/blob/v5.0.9/src/Session/Entity/Session.php#L615-L617

Vulnerable Code

// src/Session/Entity/Session.php
$gLogger->info('Set Cookie!', array(
'name' => $name,
'value' => $value,
'expire' => $expire,
'path' => $path,
'domain' => $domain,
'secure' => $secure,
'httpOnly' => $httpOnly,
'sameSite' => 'lax'
));
...
session_start();
$gLogger->info('Session Started!', array(
'name' => $sessionName,
'limit' => $limit,
'path' => $path,
'domain' => $domain,
'secure' => $secure,
'httpOnly' => $httpOnly,
'sameSite' => 'lax',
'sessionId' => session_id()
));

What Does The Code Mean

Every time Admidio sets a cookie, it writes the raw cookie value to the application log. When a session starts, it writes the active session identifier too.

Why The Code Is Vulnerable

Session IDs and persistent auto-login values are credentials. Logging them turns the log file into a credential store and expands the trust boundary to anyone who can read logs, backups, or external log aggregation outputs.

Verification Environment

  • Application: Admidio v5.0.9
  • Runtime: Dockerized Admidio + MariaDB on http://localhost:18080
  • Validation mode: real deployed application, not isolated unit tests

Steps To Reproduce

  • Enable Admidio debug logging.
  • Log in with auto_login=1 enabled.
  • Inspect the generated application log.
  • Observe that the log contains both the ADMIDIO_*_AUTO_LOGIN_ID value and the ADMIDIO_*_SESSION_ID value in cleartext.

PoC Script

from helpers import login, new_session, save_json

def main(): session = new_session() result = login(session, "admin", "AdminPass123!", auto_login=True) save_json("session_logging_login.json", result)

if __name__ == "__main__": main()

PoC Output

{
  "cookies": {
"ADMIDIO_admidio_adm_AUTO_LOGIN_ID": "2%3AnO2BhCdRgFUMKT46e2EzS79Inf4oWiLWzLnX9Ko5",
"ADMIDIO_admidio_adm_SESSION_ID": "iga3ujr67cti6s7btnuhecte67"
  },
  "csrf": "y41CaDdEO7RKug5FIRWO2Dx8w7KVQZ",
  "json": {
"status": "success",
"url": "http://localhost:18080/modules/overview.php"
  },
  "status_code": 200
}

5191:[2026-04-30 20:57:59.555213] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"8224iqk8aqcsb0062d0c3f1ish"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 5291:[2026-04-30 20:57:59.575756] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"8224iqk8aqcsb0062d0c3f1ish"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 5480:[2026-04-30 20:57:59.623872] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"733jf4j6po8m6b1g7glgaghfsg"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 5624:[2026-04-30 20:57:59.663760] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"733jf4j6po8m6b1g7glgaghfsg"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 5655:[2026-04-30 20:57:59.788831] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"ovnk3hhpj5829dj63pjk4i7k8b","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"} 5680:[2026-04-30 20:57:59.795443] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"ovnk3hhpj5829dj63pjk4i7k8b"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 5815:[2026-04-30 20:57:59.838697] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"ovnk3hhpj5829dj63pjk4i7k8b"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 5839:[2026-04-30 20:58:09.374182] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"dvrl2qf92skdeimh77ruglr4ga"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 5983:[2026-04-30 20:58:09.423217] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"dvrl2qf92skdeimh77ruglr4ga"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6014:[2026-04-30 20:58:09.550875] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"2th9qe9etfiis6nujdqpkfd9hv","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"} 6039:[2026-04-30 20:58:09.557823] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"2th9qe9etfiis6nujdqpkfd9hv"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6273:[2026-04-30 20:58:19.171185] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"k50i1toh4491o6v0htliv2kafs"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6417:[2026-04-30 20:58:19.212351] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"k50i1toh4491o6v0htliv2kafs"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6448:[2026-04-30 20:58:19.337758] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"4emiuth6i2fc1ho17nahf6n52g","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"} 6473:[2026-04-30 20:58:19.346804] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"4emiuth6i2fc1ho17nahf6n52g"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6605:[2026-04-30 20:58:19.390909] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"4emiuth6i2fc1ho17nahf6n52g"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6635:[2026-04-30 20:58:19.409216] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"4emiuth6i2fc1ho17nahf6n52g"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6676:[2026-04-30 20:58:31.002317] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"aegildsksa0i5184igdk12pdg3"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6820:[2026-04-30 20:58:31.045064] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"aegildsksa0i5184igdk12pdg3"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 6853:[2026-04-30 20:58:31.174884] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"9vsc7c5qv9cr4cavugitg6i2l3","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"} 6878:[2026-04-30 20:58:31.184031] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"9vsc7c5qv9cr4cavugitg6i2l3"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 7010:[2026-04-30 20:58:40.393679] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"nr7mssfl6eupo9d2pboea7hmb2"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 7154:[2026-04-30 20:58:40.438503] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"nr7mssfl6eupo9d2pboea7hmb2"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 7185:[2026-04-30 20:58:40.564244] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"sts5aqfsvqghtl6bfq79a3ap2t","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"} 7210:[2026-04-30 20:58:40.571305] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"sts5aqfsvqghtl6bfq79a3ap2t"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 7342:[2026-04-30 20:58:40.611506] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"sts5aqfsvqghtl6bfq79a3ap2t"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 7414:[2026-04-30 21:01:44.898211] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"dcgm8ebt3hkhmvvk9n860r6i5n"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 7558:[2026-04-30 21:01:44.940724] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"dcgm8ebt3hkhmvvk9n860r6i5n"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"} 7591:[2026-04-30 21:01:45.066694] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_AUTO_LOGIN_ID","value":"2:nO2BhCdRgFUMKT46e2EzS79Inf4oWiLWzLnX9Ko5","expire":1809118905,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"} 7596:[2026-04-30 21:01:45.068352] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"iga3ujr67cti6s7btnuhecte67","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"}

Impact

Any actor with log access can replay or abuse current session IDs and auto-login cookies, leading to session hijacking or long-lived account access depending on deployment and cookie lifetime.

Remediation And Suggestions

Never log raw session identifiers or cookie values. Replace them with fixed labels or redact most of the value before logging.

$gLogger->info('Set Cookie!', [
'name' => $name,
'value' => '[redacted]',
'expire' => $expire,
'path' => $path,
'domain' => $domain,
'secure' => $secure,
'httpOnly' => $httpOnly,
'sameSite' => 'lax',
]);

$gLogger->info('Session Started!', [ 'name' => $sessionName, 'limit' => $limit, 'path' => $path, 'domain' => $domain, 'secure' => $secure, 'httpOnly' => $httpOnly, 'sameSite' => 'lax', 'sessionId' => '[redacted]', ]);

CVSS v3
4.4
EG Score
4.4(low)
EPSS
3.2%
KEV
Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47234(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Packagist(1)
PackageVulnerable rangeFixed inDependents
admidio/admidio4.1.0 ... v5.0.9 (55 versions)5.0.10

Data Freshness Timeline

(refreshed 3× in last 7d / 15× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 01:46 UTCEG score recompute
  2. 2026-07-14 13:51 UTCEG score recompute
  3. 2026-07-11 16:59 UTCEG score recompute
  4. 2026-07-08 17:15 UTCEG score recompute
  5. 2026-07-02 03:44 UTCEG score recompute
  6. 2026-07-01 01:17 UTCEG score recompute
  7. 2026-06-29 12:29 UTCEG score recompute
  8. 2026-06-28 04:06 UTCEG score recompute
  9. 2026-06-27 04:11 UTCEG score recompute
  10. 2026-06-26 02:40 UTCEG score recompute
  11. 2026-06-25 02:45 UTCEG score recompute
  12. 2026-06-24 02:45 UTCEG score recompute
  13. 2026-06-18 23:46 UTCEG score recompute
  14. 2026-06-17 23:35 UTCEG score recompute
  15. 2026-06-16 23:20 UTCEG score recompute
  16. 2026-06-15 23:23 UTCEG score recompute
  17. 2026-06-14 23:28 UTCEG score recompute
  18. 2026-06-14 23:18 UTCEPSS rescore
  19. 2026-06-13 23:33 UTCEG score recompute
  20. 2026-06-13 23:00 UTCEPSS rescore
  21. 2026-06-12 23:39 UTCEG score recompute
  22. 2026-06-12 23:12 UTCEPSS rescore
  23. 2026-06-11 23:44 UTCEG score recompute
  24. 2026-06-10 23:49 UTCEG score recompute
  25. 2026-06-09 23:54 UTCEG score recompute
Show 10 more
  1. 2026-06-09 00:00 UTCEG score recompute
  2. 2026-06-08 00:05 UTCEG score recompute
  3. 2026-06-07 00:11 UTCEG score recompute
  4. 2026-06-06 00:16 UTCEG score recompute
  5. 2026-06-05 00:22 UTCEG score recompute
  6. 2026-06-04 00:27 UTCEG score recompute
  7. 2026-06-03 00:31 UTCEG score recompute
  8. 2026-06-02 00:36 UTCEG score recompute
  9. 2026-06-01 00:41 UTCEG score recompute
  10. 2026-05-29 22:26 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47234?
CVE-2026-47234 is a medium vulnerability published on May 29, 2026. Admidio writes session IDs and auto-login cookie values to application logs Summary When debug logging is enabled, Session::setCookie() logs full cookie values and Session::start() logs the current session ID. In a real Admidio deployment this includes both the active session cookie and the…
When was CVE-2026-47234 disclosed?
CVE-2026-47234 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47234 actively exploited?
CVE-2026-47234 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.2% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47234?
CVE-2026-47234 has a CVSS v4.0 base score of 4.4 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47234?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47234, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47234

Explore →

Is Your Infrastructure Affected by CVE-2026-47234?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.