CVE-2026-41657

Summary : Admidio before version 5.0.9 exposed cross-organization member data via the contacts_data.php endpoint due to a weaker permission check (isAdministratorUsers()) compared to the frontend (isAdministrator()) and the contacts_show_all setting. This allowed a user manager (rol_edit_user) wi...

Incorrect Authorization

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Incorrect Authorization via the contactsdata.php process. An attacker can access sensitive user data from all organizations by direct...