Information disclosure in Admidio - CVE-2026-41659
Published: April 23, 2026
Vulnerability identifier: #VU127165
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41659
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Admidio
Affected software:
Admidio
Admidio
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the members_assignment_data.php member assignment DataTables endpoint when processing search requests. A remote privileged user can send crafted search values to disclose sensitive information.
Hidden profile fields are excluded from the JSON output, but search filtering is still performed against hidden birthday, street, city, postcode, and country fields, allowing inference from matching results and filtered record counts.
How to mitigate CVE-2026-41659
Install security update from vendor's website.