SB20260423148 - Multiple vulnerabilities in Admidio
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2026-41663)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform unauthorized administrative actions.
The vulnerability exists due to cross-site request forgery in admin preferences when handling crafted requests from an authenticated administrator's browser. A remote privileged user can trick a victim into following a crafted link or loading attacker-controlled content to perform unauthorized administrative actions.
User interaction is required.
2) Incorrect authorization (CVE-ID: CVE-2026-41660)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disable two-factor authentication on administrator accounts.
The vulnerability exists due to incorrect authorization in modules/profile/two_factor_authentication.php when handling two-factor authentication reset requests. A remote user can send a crafted reset request targeting another user's account to disable two-factor authentication on administrator accounts.
Exploitation requires profile edit rights on the targeted account.
3) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-41662)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper check for unusual or exceptional conditions in Role::stopMembership() when removing a user from the administrator role. A remote privileged user can send a crafted membership removal request to cause a denial of service.
User interaction is required, and exploitation requires two active administrator accounts with valid sessions.
4) Cross-site scripting (CVE-ID: CVE-2026-41661)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript in a user's browser.
The vulnerability exists due to cross-site scripting in system/msg_window.php when handling crafted GET parameters. A remote attacker can send a specially crafted link to execute arbitrary JavaScript in a user's browser.
User interaction is required, and the issue is triggered via the message_id and message_var1 parameters after square brackets in user input are converted into HTML angle brackets.
5) Information disclosure (CVE-ID: CVE-2026-41659)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the members_assignment_data.php member assignment DataTables endpoint when processing search requests. A remote privileged user can send crafted search values to disclose sensitive information.
Hidden profile fields are excluded from the JSON output, but search filtering is still performed against hidden birthday, street, city, postcode, and country fields, allowing inference from matching results and filtered record counts.
6) Path traversal (CVE-ID: CVE-2026-41656)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in the add mode of modules/documents-files.php and the documents file handling logic when processing a crafted name parameter. A remote privileged user can trick a documents administrator into clicking a crafted link to disclose sensitive information.
User interaction is required, and exploitation relies on the add action being performed through a cross-site GET request that includes the victim's session.
7) Incorrect authorization (CVE-ID: CVE-2026-41657)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incorrect authorization in contacts_data.php when handling requests with mem_show_filter=3. A remote privileged user can send a specially crafted request to disclose sensitive information.
In multi-organization deployments, the issue bypasses organization isolation and can expose user records from other organizations sharing the same database.
8) Missing Authorization (CVE-ID: CVE-2026-41658)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete inventory items and associated data.
The vulnerability exists due to missing authorization in modules/inventory.php destructive inventory handlers when handling crafted POST requests to inventory actions. A remote user can send a specially crafted request to delete inventory items and associated data.
Item UUIDs are visible to users who can view the inventory list, and the same missing-authorization pattern also affects item retire, reinstate, and picture management actions.
9) Path traversal (CVE-ID: CVE-2026-41655)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in the ecard_preview.php endpoint when processing the ecard_template POST parameter. A remote user can send a specially crafted request with path traversal sequences to disclose sensitive information.
The issue can expose arbitrary files accessible to the web server process, including adm_my_files/config.php containing database credentials.
10) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-41669)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass signature verification and process forged SAML AuthnRequests and LogoutRequests.
The vulnerability exists due to improper verification of cryptographic signature in the SAMLService handleSSORequest() and handleSLORequest() logic when processing SAML requests. A remote attacker can send specially crafted unsigned or invalidly signed SAML requests to bypass signature verification and process forged SAML AuthnRequests and LogoutRequests.
For SSO requests, exploitation can cause disclosure of user attributes to an attacker-controlled AssertionConsumerServiceURL for users with an active session. For SLO requests, exploitation can terminate the targeted user's session and trigger cascading single logout across registered service providers.
11) Input validation error (CVE-ID: CVE-2026-41670)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information and impersonate a user at a service provider.
The vulnerability exists due to improper input validation in the SAML IdP implementation in src/SSO/Service/SAMLService.php when processing SAML AuthnRequest messages. A remote attacker can send a crafted AuthnRequest with an attacker-controlled AssertionConsumerServiceURL to disclose sensitive information and impersonate a user at a service provider.
User interaction is required, and exploitation is possible without signature verification when the service provider client uses the default settings for request signing validation.
12) Improper Authentication (CVE-ID: CVE-2026-41671)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication on connected resource servers.
The vulnerability exists due to improper authentication in the OIDC token introspection endpoint when processing token validation requests. A remote attacker can submit a fabricated, expired, revoked, or empty token to bypass authentication on connected resource servers.
The issue affects the /modules/sso/index.php/oidc/introspect endpoint and has changed scope because the vulnerable authorization server can cause unauthorized access decisions in connected resource servers.
13) Missing Authentication for Critical Function (CVE-ID: N/A)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to prevent compromised tokens from being revoked.
The vulnerability exists due to improper access control in the OIDC token revocation endpoint when handling revocation requests. A remote attacker can send a revocation request for a token to prevent compromised tokens from being revoked.
The /oidc/revoke endpoint returns {"revoked": true} without actually revoking the token in the database, so stolen tokens remain usable until expiry.
Remediation
Install update from vendor's website.
References
- https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j
- https://github.com/Admidio/admidio/security
- https://github.com/Admidio/admidio/security/advisories/GHSA-rh3w-4ccx-prf9
- https://github.com/advisories/GHSA-rh3w-4ccx-prf9
- https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6
- https://github.com/advisories/GHSA-c7xm-r6vj-8vg6
- https://github.com/Admidio/admidio/security/advisories/GHSA-gq27-fc8w-vcmp
- https://github.com/advisories/GHSA-gq27-fc8w-vcmp
- https://github.com/Admidio/admidio/security/advisories/GHSA-68pr-7prh-mpv4
- https://github.com/advisories/GHSA-68pr-7prh-mpv4
- https://github.com/Admidio/admidio/security/advisories/GHSA-m9h6-8pqm-xrhf
- https://github.com/advisories/GHSA-m9h6-8pqm-xrhf
- https://github.com/Admidio/admidio/security/advisories/GHSA-g8p8-94f2-28gr
- https://github.com/advisories/GHSA-g8p8-94f2-28gr
- https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv
- https://github.com/advisories/GHSA-xqv4-xm7h-52cv
- https://github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx
- https://github.com/advisories/GHSA-m3vp-3jjm-gpmx
- https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg
- https://github.com/advisories/GHSA-25cw-98hg-g3cg
- https://github.com/Admidio/admidio/security/advisories/GHSA-p9w9-87c8-m235
- https://github.com/advisories/GHSA-p9w9-87c8-m235
- https://github.com/Admidio/admidio/security/advisories/GHSA-9xx5-cv6j-x533
- https://github.com/advisories/GHSA-9xx5-cv6j-x533