CVE-2026-41662 - Vulnerability Details

- Admidio: Missing Minimum Administrator Check in Role Membership Removal

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9.

Published: 2026-05-07

Score: 5.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the Admidio role management code, where an administrator can call Role::stopMembership() to remove another administrator without the system checking that the action would leave at least one remaining administrator. Because the deprecated method containing the safety guard is bypassed, an admin can remove the last other administrator, effectively locking the system out of any administrative interface. This leads to a denial of administrative access, which can destabilize operations or force a restoration from backup, and represents a medium severity risk as indicated by the CVSS score.

Affected Systems

The affected application is Admidio. Versions released before 5.0.9 are vulnerable. Any deployment using Admidio before this patch is subject to the issue.

Risk and Exploitability

The CVSS score of 5.2 classifies the vulnerability as medium but the lack of an EPSS score means current exploitation likelihood is unknown. The issue does not require network‑side conditions beyond having administrator privileges; a single administrative account can perform the removal. The impact is isolated to the administration subsystem and can permanently lock out all administrators if no backup account exists. The vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed public exploits as of now.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Admidio

admidio

affected

Version	Status	Constraints
`< 5.0.9`	affected	—

No data.

Vendor Product Confidence Versions

Admidio

100%

Version	Status	Scheme	Platform
`[0,5.0.9)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest version of Admidio (5.0.9 or later) which includes the fix
Ensure that at least two users hold the administrator role before removing any member, guaranteeing a remaining admin
Enable auditing of role removal actions to detect potential lockouts

Generated by OpenCVE AI on May 7, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c7xm-r6vj-8vg6	Admidio Missing Minimum Administrator Check in Role Membership Removal

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Admidio/admidio/releases/tag/v5.0.9
https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6

History

Thu, 07 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 07 May 2026 06:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admidio Admidio admidio
Vendors & Products		Admidio Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9.
Title		Admidio: Missing Minimum Administrator Check in Role Membership Removal
Weaknesses		CWE-754
References		https://github.com/Admidio/admidio/releases/tag/v5.0.9 https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6
Metrics		cvssV3_1 `{'score': 5.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H'}`

Subscriptions

Admidio Admidio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T02:59:50.508Z

Updated: 2026-05-07T14:06:48.349Z

Reserved: 2026-04-21T23:58:43.803Z

Link: CVE-2026-41662

Vulnrichment

Updated: 2026-05-07T14:06:42.197Z

NVD

Status : Received

Published: 2026-05-07T04:16:30.080

Modified: 2026-05-07T04:16:30.080

Link: CVE-2026-41662

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T06:00:15Z

Weaknesses

CWE-754

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object