CVE-2026-41657

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description An authorization mismatch exists between the frontend UI and the backend data endpoint. While the frontend correctly restricts the "show all organizations" filter to full administrators, the 'contacts data.php' endpoint uses a weaker permission check via the isAdministratorUsers() function, which only requires the rol edit user permission. This allows a user manager who is not a full administrator to bypass multi-tenant organization isolation by directly requesting the 'contacts data.php' endpoint with the mem show filter variable set to 3. Consequently, an attacker can retrieve all user records across all organizations in the instance, including full names, email addresses, login names, and user UUIDs, even if the contacts show all system setting is disabled.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the 'contacts data.php' endpoint or monitor for requests containing the mem show filter variable set to 3 from non-administrator accounts.