Back to CVE List

CVE-2026-41660

HIGH SEVERITY

CVSS Score & Metrics

Base Score
7.1 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Vulnerability Description

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA. This issue has been patched in version 5.0.9.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-863
Source
GitHub
Vendor
composer
Product
admidio/admidio

External References

Discussion (0)

Add Comment

No comments yet. Be the first!