Description
Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6.
Published: 2026-03-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized event participation via IDOR
Action: Patch
AI Analysis

Impact

The vulnerability exists in the event participation module of Admidio; an OR condition allows any user who has permission to participate to manipulate the user_uuid parameter and register or cancel participation for another user. By setting a different user_uuid value, an attacker can cause a non‑leader to appear registered, or remove another user's registration, altering attendance records without permission.

Affected Systems

Admidio installations running any version before 5.0.6 are affected. The flaw appears in modules/events/events_function.php and applies to all authenticated users who can participate in events, regardless of leadership status.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is less than 1%, suggesting a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated web access and the ability to modify the user_uuid GET parameter. No elevated privileges beyond the standard event‑participation rights are necessary.

Generated by OpenCVE AI on April 17, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.6 or later, which removes the OR condition and enforces proper user identification.
  • If an immediate upgrade is not possible, revoke the event‑participation permission from non‑leader roles so that only leaders can alter participation via the user_uuid parameter.
  • As an interim measure, modify modules/events/events_function.php to validate that the supplied user_uuid matches the authenticated user’s own identifier when the requester is not a leader, or reject such requests entirely.

Generated by OpenCVE AI on April 17, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7pfv-hr63-h7cw Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter
History

Fri, 13 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6.
Title Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T13:59:12.645Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30927

cve-icon Vulnrichment

Updated: 2026-03-10T13:58:56.120Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T17:40:16.520

Modified: 2026-03-13T14:45:47.863

Link: CVE-2026-30927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses