← Volver a CVEs
CVE-2026-41662
MEDIUM5.2
Descripcion
Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9.
Detalles CVE
Puntuacion CVSS v3.15.2
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosHIGH
Interaccion usuarioREQUIRED
Publicado5/7/2026
Ultima modificacion5/7/2026
Fuentenvd
Avistamientos honeypot0
Debilidades (CWE)
CWE-754
Referencias
https://github.com/Admidio/admidio/releases/tag/v5.0.9(security-advisories@github.com)
https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6(security-advisories@github.com)
https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.