Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
A logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA.
Details
In modules/profile/two_factor_authentication.php at line 84, the authorization check uses an inverted condition:
// modules/profile/two_factor_authentication.php line 84
if (!($gCurrentUser->isAdministrator() || $gCurrentUserId !== $userId))
{
throw new AdmException('SYS_NO_RIGHTS');
}By De Morgan's law, this condition evaluates as:
- Blocks when:
NOT isAdministrator() AND $gCurrentUserId === $userId - In practice: blocks non-admins from resetting their OWN 2FA
- Passes: non-admins resetting OTHER users' 2FA (the opposite of the intended behavior)
The intended logic should block non-admins from resetting other users' 2FA. The ! operator on line 84 should be =.
A group leader who holds hasRightEditProfile() permission on an admin user (checked earlier in the flow) can exploit this to strip 2FA from administrator accounts, reducing their security to password-only authentication.
Proof of Concept
- As
testuser(a non-admin group leader with edit rights on admin profiles), send:
POST /adm_program/modules/profile/two_factor_authentication.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ADMIDIO_..._SESSION_ID=<testuser_session>
mode=reset&user_uuid=<admin_user_uuid>Result: the server removes 2FA from the admin account.
- As
testuser, attempt to reset their own 2FA:
POST /adm_program/modules/profile/two_factor_authentication.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ADMIDIO_..._SESSION_ID=<testuser_session>
mode=reset&user_uuid=<testuser_user_uuid>Result: SYS_NO_RIGHTS error. The user cannot reset their own 2FA.
This confirms the authorization logic is inverted.
Impact
A group leader (or any user with profile edit rights on an admin) can disable two-factor authentication on administrator accounts. This degrades admin account security to password-only, opening the door to credential stuffing or brute force attacks without a 2FA barrier.
Recommended Fix
Change ! to = on line 84 of modules/profile/two_factor_authentication.php:
// Fixed condition: block non-admins from resetting OTHER users' 2FA
if (!($gCurrentUser->isAdministrator() || $gCurrentUserId === $userId))
{
throw new AdmException('SYS_NO_RIGHTS');
}--- *Found by aisafe.io*
AnalysisAI
Inverted authorization logic in Admidio's two-factor authentication reset module allows non-admin users with profile edit permissions to strip TOTP protection from administrator accounts while paradoxically blocking users from resetting their own 2FA. A group leader holding 'hasRightEditProfile()' rights on an admin account can send a single POST request to /adm_program/modules/profile/two_factor_authentication.php with the admin's UUID, disabling the admin's 2FA and reducing account security to password-only. This vulnerability affects Admidio versions ≤5.0.8; patched version 5.0.9 corrects the inverted comparison operator. Public exploit code exists via the GitHub advisory's proof-of-concept. No confirmed active exploitation (not in CISA KEV).
Technical ContextAI
Admidio is a PHP-based membership management system for organizations. The vulnerability resides in the authorization check at line 84 of modules/profile/two_factor_authentication.php. The conditional statement '!($gCurrentUser->isAdministrator() || $gCurrentUserId ! $userId)' incorrectly uses a strict inequality operator (!) instead of strict equality (=). Applying De Morgan's law, this evaluates to 'NOT isAdministrator() AND $gCurrentUserId = $userId', which blocks non-admins from resetting their own 2FA but permits them to reset OTHER users' 2FA. This is a textbook CWE-863 (Incorrect Authorization) violation where the access control logic implements the exact inverse of the intended security policy. The flaw exists in the application's PHP codebase (pkg:composer/admidio/admidio) and affects all deployments where group leaders have been delegated profile editing rights-a common configuration in organizational membership systems.
RemediationAI
Upgrade to Admidio version 5.0.9 immediately via Composer ('composer update admidio/admidio') or by deploying the patched release from the official GitHub repository (https://github.com/Admidio/admidio). The fix changes the comparison operator on line 84 of modules/profile/two_factor_authentication.php from '!' to '=' to correctly block non-admins from resetting other users' 2FA. If immediate upgrade is not feasible, implement compensating controls: (1) audit and revoke 'hasRightEditProfile()' permissions on administrator accounts from all group leaders and non-admin roles via Admidio's role management interface-this breaks the attack prerequisite but may disrupt organizational workflows requiring delegated profile management; (2) enable PHP opcode caching with immutable files to prevent runtime patching of the vulnerable script; (3) deploy web application firewall rules to monitor and alert on POST requests to /adm_program/modules/profile/two_factor_authentication.php where the authenticated user's ID does not match the user_uuid parameter. Trade-offs: revoking profile edit rights may require admins to handle routine profile updates, increasing admin workload; WAF rules generate false positives if legitimate admin-assisted 2FA resets occur. Full remediation requires the vendor-supplied patch.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28272
GHSA-rh3w-4ccx-prf9