CVE-2026-41659

LOW 2.7

Admidio: Hidden Profile Field Values Leaked via Blind Search Oracle in Member Assignment

CVSS Score

2.7

EPSS Score

0.0%

EPSS Percentile

0th

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9.

CWE	CWE-200
Vendor	admidio
Product	admidio
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for admidio admidio

Be the first to know when new low vulnerabilities affecting admidio admidio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

Admidio / admidio

< 5.0.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Admidio/admidio/security/advisories/GHSA-68pr-7prh-mpv4 github.com: https://github.com/Admidio/admidio/releases/tag/v5.0.9