CVE-2026-32816

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST["adm_csrf_token"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Admidio/admidio/releases/tag/v5.0.7	Product Release Notes
https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-19 23:16

Updated : 2026-03-23 19:10

NVD link : CVE-2026-32816

Mitre link : CVE-2026-32816

CVE.ORG link : CVE-2026-32816

JSON object : View

Products Affected

admidio

admidio

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-32816", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2026-03-19T23:16:44.380", "references": [{"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\"adm_csrf_token\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. En las versiones 5.0.0 a 5.0.6, los modos de eliminar, activar y desactivar en modules/groups-roles/groups_roles.php realizan cambios de estado destructivos en los roles organizacionales, pero nunca validan un token anti-CSRF. La interfaz de usuario del cliente (UI) pasa un token CSRF a callUrlHideElement(), que lo incluye en el cuerpo de la solicitud POST, pero los manejadores del servidor ignoran $_POST[\"adm_csrf_token\"] por completo para estos tres modos. Un atacante que pueda descubrir un UUID de rol (visible en la vista p\u00fablica de tarjetas cuando el m\u00f3dulo es accesible p\u00fablicamente) puede incrustar un formulario POST falsificado en cualquier p\u00e1gina externa y enga\u00f1ar a cualquier usuario con el derecho rol_assign_roles para que elimine o alterne roles para la organizaci\u00f3n. La eliminaci\u00f3n de roles es permanente y se propaga a todas las membres\u00edas, asociaciones de eventos y datos de derechos. Si se explota, un atacante puede enga\u00f1ar a cualquier usuario con derechos delegados de asignaci\u00f3n de roles para que elimine roles de forma permanente, revoque masivamente todas las membres\u00edas asociadas y el acceso a eventos, documentos y listas de correo, o active o desactive silenciosamente grupos enteros, con los UUID de rol objetivo f\u00e1cilmente obtenidos de la vista p\u00fablica de tarjetas no autenticada y sin una ruta de deshacer que no sea una restauraci\u00f3n de la base de datos. Este problema ha sido solucionado en la versi\u00f3n 5.0.7."}], "lastModified": "2026-03-23T19:10:21.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4020E2FE-8E51-405F-86CB-DAAFBA7FD9B3", "versionEndExcluding": "5.0.7", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}