CVE-2026-41659

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description The member assignment DataTables endpoint 'members assignment data.php' includes hidden profile fields in its SQL search condition regardless of visibility settings. While the JSON output suppresses hidden columns using isVisible() checks, the server-side search operates at the SQL level before this filtering occurs. This allows a role leader with assign-only permissions to perform a blind oracle attack, inferring hidden personally identifiable information (PII) by observing which users appear in search results for specific values. The affected hidden fields include BIRTHDAY, STREET, CITY, POSTCODE, and COUNTRY.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the 'members assignment data.php' endpoint to only those users who require it and are trusted with PII access.