Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9.

INFO

Published Date :

2026-05-07T02:59:19.870Z

Last Modified :

2026-05-07T13:44:42.872Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41659 vulnerability.

Vendors Products
Admidio
  • Admidio
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41659.

URL Resource
https://github.com/Admidio/admidio/releases/tag/v5.0.9 cve-icon cve-icon
https://github.com/Admidio/admidio/security/advisories/GHSA-68pr-7prh-mpv4 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact