CVE-2026-30927: Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-30927

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter

Source: NVD (National Vulnerability Database)

Vulnerability Description

Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

通过用户控制密钥绕过授权机制

Source: NVD (National Vulnerability Database)

Vulnerability Title

Admidio 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Admidio是Admidio团队的一套开源的成员管理系统。该系统支持成员列表、事件管理、留言簿、相册和下载等功能。 Admidio 5.0.6之前版本存在安全漏洞，该漏洞源于modules/events/events_function.php中事件参与逻辑存在缺陷，可能导致用户注册其他用户参与活动。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Admidio	admidio	< 5.0.6	-

II. Public POCs for CVE-2026-30927

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-30927

Please Login to view more intelligence information

https://github.com/Admidio/admidio/issues/1985x_refsource_MISC
https://github.com/Admidio/admidio/security/advisories/GHSA-7pfv-hr63-h7cwx_refsource_CONFIRM
https://github.com/Admidio/admidio/commit/e47f70cc3cbcdb39635fdbaaef02d19f604b8c3ex_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2026-30927

IV. Related Vulnerabilities

Same product: admidio

Same vendor: Admidio

Same weakness: CWE-639

V. Comments for CVE-2026-30927

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2026-30927

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-30927

III. Intelligence Information for CVE-2026-30927

IV. Related Vulnerabilities

V. Comments for CVE-2026-30927

Leave a comment