Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9.
Published: 2026-05-07
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Admidio the member assignment search endpoint uses an SQL condition that includes hidden profile fields such as birthday, street, city, postcode, and country without respecting visibility settings. Although the JSON response masks these values, the database query itself filters by them. This allows a role leader with only assign‑only permissions to infer hidden personal data by observing which users appear for specific search terms. The flaw is a confidentiality breach identified as CWE‑200.

Affected Systems

Affected is the open‑source Admidio user management system, version 5.0.8 and earlier. The issue has been fixed in version 5.0.9 and later releases.

Risk and Exploitability

The CVSS score of 2.7 classifies the vulnerability as low severity; no EPSS score is available and the issue is not listed in CISA KEV. Exploitation requires legitimate access to the application as a role leader with assign‑only rights. The attacker can repeatedly query the search endpoint with particular values and observe the presence or absence of users in the result set, thereby deducing hidden PII. While remote exploitation is limited to authenticated users with those specific permissions, the inferred data can be sensitive and violates privacy expectations.

Generated by OpenCVE AI on May 7, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Admidio version 5.0.9 or later to remove hidden fields from the search query.
  • If an upgrade is delayed, audit role assignments and remove assign‑only permission from any user who does not strictly need it to prevent the oracle chain.
  • Apply additional access controls or query filters to ensure that hidden profile fields are never used in search conditions, aligning with best practices for preventing data‑leakage via blind oracle attacks.

Generated by OpenCVE AI on May 7, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-68pr-7prh-mpv4 Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment
History

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9.
Title Admidio: Hidden Profile Field Values Leaked via Blind Search Oracle in Member Assignment
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:44:42.872Z

Reserved: 2026-04-21T23:58:43.803Z

Link: CVE-2026-41659

cve-icon Vulnrichment

Updated: 2026-05-07T13:44:31.297Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:29.567

Modified: 2026-05-07T15:16:08.253

Link: CVE-2026-41659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:30:22Z

Weaknesses