AIKIDO-2026-10117

TL;DR

Affected versions of this package had insufficient access control on several user-related controller actions in UsersController, allowing certain user management operations (such as impersonation, sending activation or password reset emails, enabling/disabling accounts, etc.) to be invoked without enforcing the appropriate permission and context checks. The patched version centralizes and strengthens these checks (userActionChecks), requiring proper post requests, control-panel context, edition, and editUsers permission before performing sensitive user actions, preventing unauthorized access and privilege escalation.