CVE-2026-41657

Summary : Admidio before version 5.0.9 exposed cross-organization member data via the contacts_data.php endpoint due to a weaker permission check (isAdministratorUsers()) compared to the frontend (isAdministrator()) and the contacts_show_all setting. This allowed a user manager (rol_edit_user) wi...

GHSA-G8P8-94F2-28GR Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php

Summary The contactsdata.php endpoint uses a weaker permission check isAdministratorUsers, requiring only roledituser=true than the frontend UI contacts.php which correctly requires the stronger isAdministrator requiring roladministrator=true and the contactsshowall system setting. A user manager...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Organization V2Beta API endpoints. An attacker can access and modify data belonging to other organizations by bypassing authorization checks with administrator privileges for a...

Mail.ru: Cross-organization data access in city-mobil.ru

A legitimate partner's superuser account could have access to information of driver belonging to different partner, including passport and driving license data. Combined Improrer Access + IDOR It was possible to get access to passport, drive license any taxi driver. As well as changed settings...