CVE-2026-41660 - Vulnerability Details

- Admidio: Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA. This issue has been patched in version 5.0.9.

Published: 2026-05-07

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A logic error in Admidio’s two‑factor authentication reset inverts an authorization check: non‑admin users can’t delete their own TOTP, but they can delete other users’ TOTP, including that of administrators. This flaw, identified as a CWE‑863 authorization error, lets a group leader who has rights to edit an admin profile strip the admin’s 2‑factor authentication. The result is that an attacker with group leader privileges can reduce an administrator’s account to a single‑factor login, enabling subsequent privilege escalation or account takeover if additional credentials are compromised.

Affected Systems

The vulnerability affects installations of Admidio predating version 5.0.9. Users with group leader status who can edit admin profiles are able to exploit the flaw and remove an admin’s TOTP configuration. The issue is independent of operating system or deployment environment, as it is a bug in the application logic.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is in the high‑risk range. Although an EPSS score is not available and the flaw is not listed in the CISA KEV catalog, the exploitation likelihood is concrete: an attacker only needs a legitimate group leader account and permission to modify an admin entry, both common in typical user‑management setups. If successfully exploited, the attacker can render an administrator account accessible with only a password, significantly weakening security controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Admidio

admidio

affected

Version	Status	Constraints
`< 5.0.9`	affected	—

No data.

Vendor Product Confidence Versions

Admidio

100%

Version	Status	Scheme	Platform
`[0,5.0.9)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Admidio version 5.0.9 or later to resolve the inverted authorization check.
If an upgrade is not yet possible, temporarily remove or restrict group leaders’ ability to edit administrator profiles until the patch is applied.
Once patched, review all administrator accounts, re‑enable 2‑factor authentication for any that were disabled, and audit logs for unauthorized changes.

Generated by OpenCVE AI on May 7, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rh3w-4ccx-prf9	Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Admidio/admidio/releases/tag/v5.0.9
https://github.com/Admidio/admidio/security/advisories/GHSA-rh3w-4ccx-prf9

History

Thu, 07 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 07 May 2026 06:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admidio Admidio admidio
Vendors & Products		Admidio Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA. This issue has been patched in version 5.0.9.
Title		Admidio: Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP
Weaknesses		CWE-863
References		https://github.com/Admidio/admidio/releases/tag/v5.0.9 https://github.com/Admidio/admidio/security/advisories/GHSA-rh3w-4ccx-prf9
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}`

Subscriptions

Admidio Admidio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T02:59:29.810Z

Updated: 2026-05-07T12:44:52.834Z

Reserved: 2026-04-21T23:58:43.803Z

Link: CVE-2026-41660

Vulnrichment

Updated: 2026-05-07T12:44:45.447Z

NVD

Status : Received

Published: 2026-05-07T04:16:29.740

Modified: 2026-05-07T13:16:12.157

Link: CVE-2026-41660

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T06:00:15Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object