CVE-2026-30927

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.6

Description Admidio is a user management solution. A flaw exists in the event participation logic within the modules/events/events function.php file. This allows any user permitted to participate in an event to register or cancel participation for other users by manipulating the user uuid GET parameter. The issue stems from an incorrect conditional statement using the OR operator (||), which allows any user to specify a different user uuid and operate on the target user's ID (usr id) instead of the current user's ID. This could lead to unwanted registrations, cancellations, or manipulation of event participant data. The vulnerable code operates on $user->getValue('usr id').

Recommendations Versions prior to 5.0.6 should be updated to version 5.0.6 or later. As a temporary workaround, for non-leader users, force the user uuid parameter to the current user's UUID.