CVE-2026-41657 - Vulnerability Details

CVE-2026-41657 - Admidio: Cross-Organization Member Data Exposure via Permission Check Mismatch in contacts_data.php

Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Admidio

admidio

affected

Version	Status	Constraints
`< 5.0.9`	affected	—

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Admidio Subscribe	Admidio Subscribe

Project Subscriptions

Vendors	Products
Admidio Subscribe	Admidio Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-g8p8-94f2-28gr	Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Admidio/admidio/releases/tag/v5.0.9
https://github.com/Admidio/admidio/security/advisories/GHSA-g8p8-94f2-28gr

History

Thu, 07 May 2026 05:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admidio Admidio admidio
Vendors & Products		Admidio Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9.
Title		Admidio: Cross-Organization Member Data Exposure via Permission Check Mismatch in contacts_data.php
Weaknesses		CWE-863
References		https://github.com/Admidio/admidio/releases/tag/v5.0.9 https://github.com/Admidio/admidio/security/advisories/GHSA-g8p8-94f2-28gr
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T02:58:09.340Z

Updated: 2026-05-07T02:58:09.340Z

Reserved: 2026-04-21T23:58:43.803Z

Link: CVE-2026-41657

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-07T04:16:28.920

Modified: 2026-05-07T04:16:28.920

Link: CVE-2026-41657

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T05:30:22Z

Weaknesses

CWE-863

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object