Skip to content

Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP

High
Fasse published GHSA-rh3w-4ccx-prf9 Apr 23, 2026

Software

admidio/admidio

Affected versions

<= 5.0.8

Patched versions

5.0.9

Description

Summary

A logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA.

Details

In modules/profile/two_factor_authentication.php at line 84, the authorization check uses an inverted condition:

// modules/profile/two_factor_authentication.php line 84
if (!($gCurrentUser->isAdministrator() || $gCurrentUserId !== $userId))
{
    throw new AdmException('SYS_NO_RIGHTS');
}

By De Morgan's law, this condition evaluates as:

  • Blocks when: NOT isAdministrator() AND $gCurrentUserId === $userId
  • In practice: blocks non-admins from resetting their OWN 2FA
  • Passes: non-admins resetting OTHER users' 2FA (the opposite of the intended behavior)

The intended logic should block non-admins from resetting other users' 2FA. The !== operator on line 84 should be ===.

A group leader who holds hasRightEditProfile() permission on an admin user (checked earlier in the flow) can exploit this to strip 2FA from administrator accounts, reducing their security to password-only authentication.

Proof of Concept

  1. As testuser (a non-admin group leader with edit rights on admin profiles), send:
POST /adm_program/modules/profile/two_factor_authentication.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ADMIDIO_..._SESSION_ID=<testuser_session>

mode=reset&user_uuid=<admin_user_uuid>

Result: the server removes 2FA from the admin account.

  1. As testuser, attempt to reset their own 2FA:
POST /adm_program/modules/profile/two_factor_authentication.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ADMIDIO_..._SESSION_ID=<testuser_session>

mode=reset&user_uuid=<testuser_user_uuid>

Result: SYS_NO_RIGHTS error. The user cannot reset their own 2FA.

This confirms the authorization logic is inverted.

Impact

A group leader (or any user with profile edit rights on an admin) can disable two-factor authentication on administrator accounts. This degrades admin account security to password-only, opening the door to credential stuffing or brute force attacks without a 2FA barrier.

Recommended Fix

Change !== to === on line 84 of modules/profile/two_factor_authentication.php:

// Fixed condition: block non-admins from resetting OTHER users' 2FA
if (!($gCurrentUser->isAdministrator() || $gCurrentUserId === $userId))
{
    throw new AdmException('SYS_NO_RIGHTS');
}

Found by aisafe.io

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CVE ID

CVE-2026-41660

Weaknesses

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

Credits