{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30927", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.884Z", "datePublished": "2026-03-09T23:03:55.824Z", "dateUpdated": "2026-03-10T13:59:12.645Z"}, "containers": {"cna": {"title": "Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-7pfv-hr63-h7cw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7pfv-hr63-h7cw"}, {"name": "https://github.com/Admidio/admidio/issues/1985", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/issues/1985"}, {"name": "https://github.com/Admidio/admidio/commit/e47f70cc3cbcdb39635fdbaaef02d19f604b8c3e", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/commit/e47f70cc3cbcdb39635fdbaaef02d19f604b8c3e"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": "< 5.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T23:03:55.824Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6."}], "source": {"advisory": "GHSA-7pfv-hr63-h7cw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:55:23.234262Z", "id": "CVE-2026-30927", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:59:12.645Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30927", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:55:23.234262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:58:56.120Z"}}], "cna": {"title": "Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter", "source": {"advisory": "GHSA-7pfv-hr63-h7cw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"status": "affected", "version": "< 5.0.6"}]}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7pfv-hr63-h7cw", "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-7pfv-hr63-h7cw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Admidio/admidio/issues/1985", "name": "https://github.com/Admidio/admidio/issues/1985", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Admidio/admidio/commit/e47f70cc3cbcdb39635fdbaaef02d19f604b8c3e", "name": "https://github.com/Admidio/admidio/commit/e47f70cc3cbcdb39635fdbaaef02d19f604b8c3e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T23:03:55.824Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30927", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:59:12.645Z", "dateReserved": "2026-03-07T16:40:05.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T23:03:55.824Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "matchCriteriaId": "883414A9-6A14-4B2A-B582-F45E8E60BA91", "versionEndExcluding": "5.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6."}, {"lang": "es", "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. Antes de la 5.0.6, en modules/events/events_function.php, la l\u00f3gica de participaci\u00f3n en eventos permite a cualquier usuario que pueda participar en un evento registrar a OTROS usuarios manipulando el par\u00e1metro GET user_uuid. La condici\u00f3n utiliza || (OR), lo que significa que si possibleToParticipate() devuelve verdadero (el evento est\u00e1 abierto para la participaci\u00f3n), CUALQUIER usuario - no solo los l\u00edderes - puede especificar un user_uuid diferente y registrar/cancelar la participaci\u00f3n para ese usuario. El c\u00f3digo entonces opera sobre $user-&gt;getValue('usr_id') (el usuario objetivo de user_uuid) en lugar del usuario actual. Esta vulnerabilidad est\u00e1 corregida en la 5.0.6."}], "id": "CVE-2026-30927", "lastModified": "2026-03-13T14:45:47.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T17:40:16.520", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Admidio/admidio/commit/e47f70cc3cbcdb39635fdbaaef02d19f604b8c3e"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/Admidio/admidio/issues/1985"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7pfv-hr63-h7cw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-04-17T11:47:19.251186+00:00", "value": {"mitigation_remediation": ["Upgrade Admidio to version 5.0.6 or later, which removes the OR condition and enforces proper user identification.", "If an immediate upgrade is not possible, revoke the event\u2011participation permission from non\u2011leader roles so that only leaders can alter participation via the user_uuid parameter.", "As an interim measure, modify modules/events/events_function.php to validate that the supplied user_uuid matches the authenticated user\u2019s own identifier when the requester is not a leader, or reject such requests entirely."], "summary": {"action": "Patch", "impact": "Unauthorized event participation via IDOR"}, "threat_synthesis": {"affected_systems": "Admidio installations running any version before 5.0.6 are affected. The flaw appears in modules/events/events_function.php and applies to all authenticated users who can participate in events, regardless of leadership status.", "description_and_impact": "The vulnerability exists in the event participation module of Admidio; an OR condition allows any user who has permission to participate to manipulate the user_uuid parameter and register or cancel participation for another user. By setting a different user_uuid value, an attacker can cause a non\u2011leader to appear registered, or remove another user's registration, altering attendance records without permission.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is less than 1%, suggesting a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated web access and the ability to modify the user_uuid GET parameter. No elevated privileges beyond the standard event\u2011participation rights are necessary."}}}}, "created": "2026-03-10T14:06:21.866240+00:00", "updated": "2026-04-17T12:00:11.724903+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}