CVE-2026-41659
Information Disclosure in Admidio User Management
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | 5.0.9 |
| admidio | admidio | to 5.0.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows role leaders with assign-only permissions to infer hidden personally identifiable information (PII) such as BIRTHDAY, STREET, CITY, POSTCODE, and COUNTRY by exploiting the server-side search functionality. Since these fields contain sensitive personal data, unauthorized inference of such information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to and processing of personal data.
The issue arises because the SQL search condition includes hidden profile fields regardless of visibility settings, enabling indirect access to PII without proper authorization. This could be considered a data privacy breach under these regulations, potentially exposing organizations using affected versions of Admidio to compliance risks.
The vulnerability has been patched in version 5.0.9, which addresses the problem by ensuring search columns respect visibility settings before constructing SQL queries, thereby mitigating the risk of unauthorized PII exposure.
Can you explain this vulnerability to me?
This vulnerability exists in Admidio versions 5.0.8 and earlier, specifically in the member assignment DataTables endpoint (members_assignment_data.php). Hidden profile fields such as BIRTHDAY, STREET, CITY, POSTCODE, and COUNTRY are included in the SQL search conditions regardless of their visibility settings.
Although the JSON output correctly hides these fields from display, the server-side search happens at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden personally identifiable information (PII) by observing which users appear in search results for specific search values.
Essentially, an authenticated role leader can perform a blind search oracle attack to enumerate hidden personal data of organization members by crafting targeted search queries and analyzing the filtered results.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of hidden personal information such as birthdays, addresses, and other profile details that are meant to be concealed.
A user with assign-only permissions, who normally should not access this sensitive data, can infer these hidden values by analyzing search results, potentially compromising the privacy of organization members.
This could result in privacy breaches, loss of trust, and potential misuse of personal data within the organization.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing if role leaders with assign-only permissions are able to infer hidden profile field values by performing targeted searches on the member assignment DataTables endpoint (members_assignment_data.php). Specifically, an authenticated role leader could craft search queries using values for hidden fields such as BIRTHDAY, STREET, CITY, POSTCODE, and COUNTRY and analyze which users appear in the search results.
Detection involves verifying whether the server-side search includes hidden fields in its SQL search conditions regardless of visibility settings.
Suggested commands or steps to detect this issue include:
- Authenticate as a role leader with assign-only permissions.
- Send search requests to the members_assignment_data.php endpoint with search parameters targeting hidden fields (e.g., specific BIRTHDAY or CITY values).
- Observe the returned user lists to see if search results change based on the hidden field values, indicating that the SQL search includes hidden fields.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade Admidio to version 5.0.9 or later, where this issue has been patched.
Version 5.0.9 modifies the search functionality to respect visibility settings before constructing the SQL search condition, preventing hidden profile fields from being included in server-side searches.
Until the upgrade can be applied, consider restricting role leader permissions or limiting access to the members_assignment_data.php endpoint to trusted users only.