Skip to main content

Admidio EUVDEUVD-2026-28276

| CVE-2026-41662 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-04-29 https://github.com/Admidio/admidio GHSA-c7xm-r6vj-8vg6
5.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.2 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Apr 29, 2026 - 22:17 vuln.today
Analysis Generated
Apr 29, 2026 - 22:17 vuln.today
Analysis Generated
Apr 29, 2026 - 22:00 vuln.today
CVE Published
Apr 29, 2026 - 21:53 nvd
MEDIUM 5.2

DescriptionGitHub Advisory

Summary

Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result.

Details

Role::stopMembership() in src/Roles/Entity/Role.php stops a user's membership in a role without verifying whether the action leaves the administrator role with zero members:

php
// src/Roles/Entity/Role.php - Role::stopMembership()
public function stopMembership(int $userId): bool
{
    // No check for minimum administrator count
    // Directly updates membership end date
}

The deprecated Membership::stopMembership() contains this safety check and raises SYS_MUST_HAVE_ADMINISTRATOR when the removal would leave no admins, but current code paths no longer call this method.

Role::setMembership() includes a guard that prevents a user from removing their own administrator membership:

php
if ($userId === $gCurrentUserId) {
    // Prevents self-removal from admin role
}

This guard does not prevent an administrator from removing the last other administrator. Consider a system with exactly two administrators (Admin A and Admin B):

  1. Admin A removes Admin B from the administrator role. The self-removal check passes (Admin A is not removing themselves). No minimum-count check runs. Admin B loses admin access.
  2. Admin A is now the sole administrator. Admin A cannot remove themselves (self-removal guard), but the system is one compromised account away from total lockout.
  3. If Admin A and Admin B each send a removal request for the other (sequentially or concurrently), both succeed. The system has zero administrators.

The core bug is the missing minimum-administrator check in Role::stopMembership(), not timing. Sequential requests reproduce the issue just as concurrent ones do.

Proof of Concept

Requirements: two active administrator accounts (Admin A and Admin B) with valid sessions.

python
import requests

BASE = "https://admidio.example.com"

session_a = requests.Session()
session_b = requests.Session()
# Authenticate both sessions (login step omitted for brevity)
# Step 1: Admin A removes Admin B (sequential, no race needed)
resp1 = session_a.post(f"{BASE}/modules/profile/profile_function.php", data={
    "mode": "stop_membership",
    "user_uuid": ADMIN_B_UUID,
    "role_uuid": ADMIN_ROLE_UUID
})
print(f"Admin A removes Admin B: {resp1.status_code}")
# 200
# Step 2: Admin B removes Admin A (Admin B's session is still valid)
resp2 = session_b.post(f"{BASE}/modules/profile/profile_function.php", data={
    "mode": "stop_membership",
    "user_uuid": ADMIN_A_UUID,
    "role_uuid": ADMIN_ROLE_UUID
})
print(f"Admin B removes Admin A: {resp2.status_code}")
# 200
# The system now has 0 administrators.

After both requests complete, no users remain in the administrator role. The administrative interface becomes inaccessible. Recovery requires direct database manipulation to reassign the administrator role.

Impact

Two colluding or compromised administrator accounts lock out all administrative access to the Admidio installation. Recovery demands direct database access, which may not be available on shared hosting environments. The attack does not require precise timing because Role::stopMembership() performs no minimum-admin-count check at all.

Recommended Fix

Add a minimum-administrator-count check to Role::stopMembership(). Before stopping a membership in the administrator role, query the current count of active members. If stopping this membership would leave zero administrators, reject the request with SYS_MUST_HAVE_ADMINISTRATOR. This mirrors the check already present in the deprecated Membership::stopMembership() method.

--- *Found by aisafe.io*

AnalysisAI

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

Technical ContextAI

Admidio is a PHP-based web application for managing member roles and permissions. The vulnerability exists in the Role entity class (src/Roles/Entity/Role.php), specifically the stopMembership() method, which directly updates membership end dates without verifying whether the removal would leave the administrator role with zero active members. A deprecated predecessor method, Membership::stopMembership(), contained this safety check (raising SYS_MUST_HAVE_ADMINISTRATOR error), but the refactored code path bypasses it entirely. While Role::setMembership() includes a self-removal guard (preventing PR:H users from removing their own admin status), it does not prevent removal of other administrators. The root cause is a missing authorization/validation control (CWE-754: Improper Check for Unusual or Exceptional Conditions).

RemediationAI

Upgrade Admidio to version 5.0.9 or later immediately. The patch restores the minimum-administrator-count validation to Role::stopMembership(), preventing removal of the last active administrator. For installations unable to upgrade immediately, implement application-level access controls: restrict administrative user removal operations to a trusted subset of administrators (if role-based access control permits), monitor audit logs for suspicious membership removal requests, and maintain offline backups of the administrator role assignment table to enable rapid recovery if lockout occurs. Note that these workarounds do not prevent the vulnerability but reduce exposure window and enable faster recovery. Direct database modification may be required to restore administrator access if the vulnerability is successfully exploited on systems without recent backups.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-28276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy