CVE-2026-32755

Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Admidio/admidio/releases/tag/v5.0.7	Product Release Notes
https://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gx	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-19 23:16

Updated : 2026-03-23 19:11

NVD link : CVE-2026-32755

Mitre link : CVE-2026-32755

CVE.ORG link : CVE-2026-32755

JSON object : View

Products Affected

admidio

admidio

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-32755", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2026-03-19T23:16:44.203", "references": [{"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gx", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. En las versiones 5.0.6 e inferiores, la acci\u00f3n save_membership en modules/profile/profile_function.php guarda los cambios en las fechas de inicio y fin de la membres\u00eda de rol de un miembro, pero no valida el token CSRF. El gestor comprueba stop_membership y remove_former_membership contra el token CSRF, pero omite save_membership de esa comprobaci\u00f3n. Debido a que los UUID de membres\u00eda aparecen en el c\u00f3digo fuente HTML visible para los usuarios autenticados, un atacante puede incrustar un formulario POST manipulado en cualquier p\u00e1gina externa y enga\u00f1ar a un l\u00edder de rol para que lo env\u00ede, alterando silenciosamente las fechas de membres\u00eda para cualquier miembro de los roles que la v\u00edctima lidera. La sesi\u00f3n de un l\u00edder de rol puede ser explotada silenciosamente a trav\u00e9s de CSRF para manipular las fechas de membres\u00eda de cualquier miembro, terminando el acceso al retroceder la fecha, extendiendo encubiertamente el acceso no autorizado o revocando caracter\u00edsticas restringidas por rol, todo sin confirmaci\u00f3n, notificaci\u00f3n o aprobaci\u00f3n administrativa. Este problema ha sido solucionado en la versi\u00f3n 5.0.7."}], "lastModified": "2026-03-23T19:11:15.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27", "versionEndExcluding": "5.0.7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}