Authorization bypass through user-controlled key in Admidio - CVE-2026-30927
Published: April 23, 2026
Vulnerability identifier: #VU127156
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-30927
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Admidio
Affected software:
Admidio
Admidio
Detailed vulnerability description
The vulnerability allows a remote user to modify other users' event participation records.
The vulnerability exists due to authorization bypass through a user-controlled key in modules/events/events_function.php when handling the user_uuid GET parameter for event participation requests. A remote user can supply a different user_uuid value to modify other users' event participation records.
This can be used to register other users for events, cancel their participation, manipulate participant counts and comments, and fill limited participation slots.
How to mitigate CVE-2026-30927
Install security update from vendor's website.