CVE-2026-34383: Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter

March 31, 2026

The inventory module’s item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces.

References

github.com/Admidio/admidio
github.com/Admidio/admidio/commit/00494b95dfe847af8b938e4397e5d909d8f36839
github.com/Admidio/admidio/security/advisories/GHSA-4rwm-c5mj-wh7x
github.com/advisories/GHSA-4rwm-c5mj-wh7x
nvd.nist.gov/vuln/detail/CVE-2026-34383

Code Behaviors & Features

Detect and mitigate CVE-2026-34383 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →