CVE-2026-30927
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter
Description
## Vulnerability In `modules/events/events_function.php`, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the `user_uuid` GET parameter. Line 47: `$getUserUuid = admFuncVariableIsValid($_GET, 'user_uuid', 'uuid', ...)` Line 424: `if ($event->possibleToParticipate() || $participants->isLeader($gCurrentUserId))` The condition uses `||` (OR), meaning if `possibleToParticipate()` returns true (event is open for participation), ANY user - not just leaders - can specify a different `user_uuid` and register/cancel participation for that user. The code then operates on `$user->getValue('usr_id')` (the target user from user_uuid) rather than the current user. ## Impact - Register unwilling users for events (potential harassment/spam) - Cancel other users' event participation - Manipulate event participant counts and comments - If events have participation limits, fill slots with unwanted registrations ## Fix For non-leader users, force `user_uuid` to the current user: ```php if (!$participants->isLeader($gCurrentUserId)) { $getUserUuid = $gCurrentUser->getValue('usr_uuid'); } ```
How to fix CVE-2026-30927
To remediate CVE-2026-30927, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.6 or later
Is CVE-2026-30927 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 5.0.6