SB20260423146 - Authorization bypass through user-controlled key in Admidio



SB20260423146 - Authorization bypass through user-controlled key in Admidio

Published: April 23, 2026

Security Bulletin ID SB20260423146
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-30927)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify other users' event participation records.

The vulnerability exists due to authorization bypass through a user-controlled key in modules/events/events_function.php when handling the user_uuid GET parameter for event participation requests. A remote user can supply a different user_uuid value to modify other users' event participation records.

This can be used to register other users for events, cancel their participation, manipulate participant counts and comments, and fill limited participation slots.


Remediation

Install update from vendor's website.