CVE-2026-41662

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description An issue exists where the Role::stopMembership() function fails to verify if removing a user from the administrator role leaves the system with zero administrators. While the deprecated Membership::stopMembership() function contains a safety check to prevent this, the current code path bypasses it. This allows an administrator to remove the last remaining other administrator, potentially locking the entire system out of administrative access. This can occur through sequential removals, where two administrators remove each other, resulting in no users remaining in the administrator role. The vulnerability is located in the Role::stopMembership() function within src/Roles/Entity/Role.php and can be triggered via the endpoint "/modules/profile/profile function.php" using the mode, user uuid, and role uuid parameters.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the "/modules/profile/profile function.php" endpoint or limit the number of users with administrator privileges to minimize the risk of total lockout.