Admidio CVE-2026-41660: Logic Error Allows 2FA Bypass for Admin Accounts
A critical logic error, identified as CVE-2026-41660, has been disclosed in Admidio, an open-source user management solution. Prior to version 5.0.9, the two-factor authentication (2FA) reset mechanism was flawed. According to the National Vulnerability Database, this vulnerability inverts the authorization check, allowing non-administrative users to remove the TOTP configuration for other users, including administrators, despite being unable to remove their own.
This means a low-privileged user, such as a group leader with profile edit rights, could strip an administrator’s 2FA protection. The National Vulnerability Database assigns this a CVSS score of 7.1 (HIGH), highlighting the significant impact. Attackers can bypass a crucial security layer, gaining easier access to privileged accounts. The issue has since been patched in Admidio version 5.0.9.
From an attacker’s perspective, this is a goldmine. It’s a low-effort, high-reward attack that leverages an internal flaw rather than brute-forcing credentials or exploiting complex memory corruption. The attacker only needs basic access and specific permissions to target an admin, effectively disabling a key defense mechanism and setting the stage for deeper compromise.
What This Means For You
- If your organization uses Admidio, you must prioritize patching to version 5.0.9 immediately. Audit your user logs for any suspicious 2FA reset activity or unauthorized profile modifications, especially concerning administrative accounts. This isn't just about patching; it's about understanding the attack surface when authentication mechanisms fail.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Admidio CVE-2026-41660: Non-Admin User Resets Admin 2FA
title: Admidio CVE-2026-41660: Non-Admin User Resets Admin 2FA
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
Detects a non-administrator user attempting to remove the Two-Factor Authentication (2FA) configuration for an administrator account in Admidio. This is specific to CVE-2026-41660, where a logic error allowed users with profile edit rights to remove 2FA from other users, including administrators, bypassing the intended authorization checks.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41660/
tags:
- attack.privilege_escalation
- attack.t1531
logsource:
category: authentication
detection:
selection:
User|contains:
- 'admin'
cs-uri-query|contains:
- '/adm_program/management/user_edit.php'
cs-uri-query|contains:
- 'action=delete_2fa'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41660 | Auth Bypass | Admidio < 5.0.9 |
| CVE-2026-41660 | Privilege Escalation | Admidio < 5.0.9 |
| CVE-2026-41660 | Misconfiguration | Admidio two-factor authentication reset logic error |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8063 — Null Pointer Dereference
CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...
WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php
CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...
CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability
CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....