Severity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result.
Details
Role::stopMembership() in src/Roles/Entity/Role.php stops a user's membership in a role without verifying whether the action leaves the administrator role with zero members:
// src/Roles/Entity/Role.php - Role::stopMembership()
public function stopMembership(int $userId): bool
{
// No check for minimum administrator count
// Directly updates membership end date
}The deprecated Membership::stopMembership() contains this safety check and raises SYS_MUST_HAVE_ADMINISTRATOR when the removal would leave no admins, but current code paths no longer call this method.
Role::setMembership() includes a guard that prevents a user from removing their own administrator membership:
if ($userId === $gCurrentUserId) {
// Prevents self-removal from admin role
}This guard does not prevent an administrator from removing the last other administrator. Consider a system with exactly two administrators (Admin A and Admin B):
- Admin A removes Admin B from the administrator role. The self-removal check passes (Admin A is not removing themselves). No minimum-count check runs. Admin B loses admin access.
- Admin A is now the sole administrator. Admin A cannot remove themselves (self-removal guard), but the system is one compromised account away from total lockout.
- If Admin A and Admin B each send a removal request for the other (sequentially or concurrently), both succeed. The system has zero administrators.
The core bug is the missing minimum-administrator check in Role::stopMembership(), not timing. Sequential requests reproduce the issue just as concurrent ones do.
Proof of Concept
Requirements: two active administrator accounts (Admin A and Admin B) with valid sessions.
import requests
BASE = "https://admidio.example.com"
session_a = requests.Session()
session_b = requests.Session()
# Authenticate both sessions (login step omitted for brevity)
# Step 1: Admin A removes Admin B (sequential, no race needed)
resp1 = session_a.post(f"{BASE}/modules/profile/profile_function.php", data={
"mode": "stop_membership",
"user_uuid": ADMIN_B_UUID,
"role_uuid": ADMIN_ROLE_UUID
})
print(f"Admin A removes Admin B: {resp1.status_code}")
# 200
# Step 2: Admin B removes Admin A (Admin B's session is still valid)
resp2 = session_b.post(f"{BASE}/modules/profile/profile_function.php", data={
"mode": "stop_membership",
"user_uuid": ADMIN_A_UUID,
"role_uuid": ADMIN_ROLE_UUID
})
print(f"Admin B removes Admin A: {resp2.status_code}")
# 200
# The system now has 0 administrators.After both requests complete, no users remain in the administrator role. The administrative interface becomes inaccessible. Recovery requires direct database manipulation to reassign the administrator role.
Impact
Two colluding or compromised administrator accounts lock out all administrative access to the Admidio installation. Recovery demands direct database access, which may not be available on shared hosting environments. The attack does not require precise timing because Role::stopMembership() performs no minimum-admin-count check at all.
Recommended Fix
Add a minimum-administrator-count check to Role::stopMembership(). Before stopping a membership in the administrator role, query the current count of active members. If stopping this membership would leave zero administrators, reject the request with SYS_MUST_HAVE_ADMINISTRATOR. This mirrors the check already present in the deprecated Membership::stopMembership() method.
--- *Found by aisafe.io*
AnalysisAI
Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.
Technical ContextAI
Admidio is a PHP-based web application for managing member roles and permissions. The vulnerability exists in the Role entity class (src/Roles/Entity/Role.php), specifically the stopMembership() method, which directly updates membership end dates without verifying whether the removal would leave the administrator role with zero active members. A deprecated predecessor method, Membership::stopMembership(), contained this safety check (raising SYS_MUST_HAVE_ADMINISTRATOR error), but the refactored code path bypasses it entirely. While Role::setMembership() includes a self-removal guard (preventing PR:H users from removing their own admin status), it does not prevent removal of other administrators. The root cause is a missing authorization/validation control (CWE-754: Improper Check for Unusual or Exceptional Conditions).
RemediationAI
Upgrade Admidio to version 5.0.9 or later immediately. The patch restores the minimum-administrator-count validation to Role::stopMembership(), preventing removal of the last active administrator. For installations unable to upgrade immediately, implement application-level access controls: restrict administrative user removal operations to a trusted subset of administrators (if role-based access control permits), monitor audit logs for suspicious membership removal requests, and maintain offline backups of the administrator role assignment table to enable rapid recovery if lockout occurs. Note that these workarounds do not prevent the vulnerability but reduce exposure window and enable faster recovery. Direct database modification may be required to restore administrator access if the vulnerability is successfully exploited on systems without recent backups.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28276
GHSA-c7xm-r6vj-8vg6