CVE-2026-41660

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description A logic error in the two-factor authentication (2FA) reset process inverts the authorization check. This allows non-admin users to remove the Time-based One-Time Password (TOTP) configuration of other users, including administrators, while preventing them from removing their own. Specifically, a group leader with profile edit rights on an admin account can strip that admin's 2FA, reducing the account security to password-only authentication. The issue exists in the 'modules/profile/two factor authentication.php' file, where an inverted condition in the authorization check fails to block non-admins from resetting other users' 2FA. The vulnerable endpoint is '/adm program/modules/profile/two factor authentication.php' using the mode and user uuid parameters.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict the hasRightEditProfile() permission for group leaders to minimize the risk of unauthorized 2FA removal.