Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9.
Published: 2026-05-07
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Admidio’s contacts_data.php endpoint performed a weaker authorization check than the other parts of the application. It only required the rol_edit_user permission, which is granted to user managers, whereas the UI page contacts.php correctly requires full administrator status. Because an attacker who has user‑manager rights can directly call contacts_data.php with the mem_show_filter parameter set to 3, they can retrieve all user records across every organization in the instance, bypassing the intended multi‑tenant isolation. This vulnerability results in an unauthorized disclosure of member data, potentially exposing personally identifying information and other sensitive attributes to users with limited administrative privileges.

Affected Systems

The affected product is Admidio (open‑source user management). All releases prior to v5.0.9 are vulnerable. The official fix is included in Admidio v5.0.9 and later versions.

Risk and Exploitability

The CVSS score is 4.9, classifying the issue as moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers must be able to reach the Admidio instance over HTTP/HTTPS to issue the request to contacts_data.php and provide a valid session token for a user manager. Because no automated exploit is documented, the practical likelihood of exploitation depends on the organization’s exposure of the endpoint and the distribution of the user‑manager role. Nevertheless, the data exposure risk merits remediation in any production deployment.

Generated by OpenCVE AI on May 7, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.9 or later to incorporate the fixed permission logic.
  • Verify that user‑manager roles do not possess the rol_edit_user privilege if it is unnecessary, and review the contacts_show_all system setting to limit the scope of exposed data.
  • Implement an application‑layer or web‑server access restriction for contacts_data.php to prevent direct requests from unauthenticated or non‑authorized users, thereby adding an additional protection layer until a patch is applied.

Generated by OpenCVE AI on May 7, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g8p8-94f2-28gr Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php
History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9.
Title Admidio: Cross-Organization Member Data Exposure via Permission Check Mismatch in contacts_data.php
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T12:44:25.356Z

Reserved: 2026-04-21T23:58:43.803Z

Link: CVE-2026-41657

cve-icon Vulnrichment

Updated: 2026-05-07T12:43:44.178Z

cve-icon NVD

Status : Received

Published: 2026-05-07T04:16:28.920

Modified: 2026-05-07T13:16:12.020

Link: CVE-2026-41657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:00:16Z

Weaknesses