DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25892: Adminer CVE-2026-25892: The Self-Destructing Version Check

#security #cve #cybersecurity

Adminer CVE-2026-25892: The Self-Destructing Version Check

Vulnerability ID: CVE-2026-25892
CVSS Score: 7.5
Published: 2026-02-10

Adminer, the popular single-file database management tool, contains a logic flaw in its update mechanism that allows unauthenticated attackers to persistently brick the application. By feeding a malformed array to the version check endpoint, an attacker can trick the server into serializing 'poisoned' data to disk. When the application attempts to verify this data on subsequent requests, it triggers a fatal PHP 8 TypeError, causing a Denial of Service (DoS) for all users until the temporary file is manually deleted.

TL;DR

Unauthenticated DoS in Adminer versions < 5.4.2. An attacker can send a POST request with version[] to the ?script=version endpoint. This saves a serialized array to a temp file. On the next page load, PHP 8 crashes when trying to pass that array to openssl_verify(), effectively killing the Adminer instance.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-20 (Improper Input Validation)
  • Attack Vector: Network
  • CVSS: 7.5 (High)
  • Impact: Denial of Service (Persistent)
  • Exploit Status: PoC Available
  • Language: PHP 8.x

Affected Systems

  • Adminer
  • Adminer: >= 4.6.2 < 5.4.2 (Fixed in: 5.4.2)

Code Analysis

Commit: 21d3a31

Remove server-side version check to prevent array injection DoS

-if ($_GET["script"] == "version") {
-    $filename = get_temp_dir() . "/adminer.version";
-    @unlink($filename);
-    $fp = file_open_lock($filename);
-    if ($fp) {
-        file_write_unlock($fp, serialize(array("signature" => $_POST["signature"], "version" => $_POST["version"])));
-    }
-    exit;
-}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: cURL command to inject array into version parameter

Mitigation Strategies

  • Upgrade to Adminer v5.4.2 or later immediately.
  • Manually delete the poison file (e.g., /tmp/adminer.version) to restore service.
  • Configure WAF rules to block requests to ?script=version.

Remediation Steps:

  1. Locate the system temporary directory (often /tmp on Linux).
  2. Find and delete adminer.version.
  3. Replace adminer.php with the latest version from the official website.
  4. Verify the ?script=version endpoint no longer responds to POST requests.

References

Read the full report for CVE-2026-25892 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)