CVE-2026-41659
Deferred Deferred - Pending Action
Information Disclosure in Admidio User Management

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41659
EUVD
EUVD-2026-28270
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
admidio admidio 5.0.9
admidio admidio to 5.0.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Admidio versions 5.0.8 and earlier, specifically in the member assignment DataTables endpoint (members_assignment_data.php). Hidden profile fields such as BIRTHDAY, STREET, CITY, POSTCODE, and COUNTRY are included in the SQL search conditions regardless of their visibility settings.

Although the JSON output correctly hides these fields from display, the server-side search happens at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden personally identifiable information (PII) by observing which users appear in search results for specific search values.

Essentially, an authenticated role leader can perform a blind search oracle attack to enumerate hidden personal data of organization members by crafting targeted search queries and analyzing the filtered results.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of hidden personal information such as birthdays, addresses, and other profile details that are meant to be concealed.

A user with assign-only permissions, who normally should not access this sensitive data, can infer these hidden values by analyzing search results, potentially compromising the privacy of organization members.

This could result in privacy breaches, loss of trust, and potential misuse of personal data within the organization.

Detection Guidance

This vulnerability can be detected by observing if role leaders with assign-only permissions are able to infer hidden profile field values by performing targeted searches on the member assignment DataTables endpoint (members_assignment_data.php). Specifically, an authenticated role leader could craft search queries using values for hidden fields such as BIRTHDAY, STREET, CITY, POSTCODE, and COUNTRY and analyze which users appear in the search results.

Detection involves verifying whether the server-side search includes hidden fields in its SQL search conditions regardless of visibility settings.

Suggested commands or steps to detect this issue include:

  • Authenticate as a role leader with assign-only permissions.
  • Send search requests to the members_assignment_data.php endpoint with search parameters targeting hidden fields (e.g., specific BIRTHDAY or CITY values).
  • Observe the returned user lists to see if search results change based on the hidden field values, indicating that the SQL search includes hidden fields.
Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade Admidio to version 5.0.9 or later, where this issue has been patched.

Version 5.0.9 modifies the search functionality to respect visibility settings before constructing the SQL search condition, preventing hidden profile fields from being included in server-side searches.

Until the upgrade can be applied, consider restricting role leader permissions or limiting access to the members_assignment_data.php endpoint to trusted users only.

Compliance Impact

This vulnerability allows role leaders with assign-only permissions to infer hidden personally identifiable information (PII) such as BIRTHDAY, STREET, CITY, POSTCODE, and COUNTRY by exploiting the server-side search functionality. Since these fields contain sensitive personal data, unauthorized inference of such information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to and processing of personal data.

The issue arises because the SQL search condition includes hidden profile fields regardless of visibility settings, enabling indirect access to PII without proper authorization. This could be considered a data privacy breach under these regulations, potentially exposing organizations using affected versions of Admidio to compliance risks.

The vulnerability has been patched in version 5.0.9, which addresses the problem by ensuring search columns respect visibility settings before constructing SQL queries, thereby mitigating the risk of unauthorized PII exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart