{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32816", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.696Z", "datePublished": "2026-03-19T22:57:19.068Z", "dateUpdated": "2026-03-20T17:29:42.359Z"}, "containers": {"cna": {"title": "Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2"}, {"name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": ">= 5.0.0, < 5.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:57:19.068Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\"adm_csrf_token\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7."}], "source": {"advisory": "GHSA-wwg8-6ffr-h4q2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:26:42.937028Z", "id": "CVE-2026-32816", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:29:42.359Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32816", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:26:42.937028Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:29:28.902Z"}}], "cna": {"title": "Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions", "source": {"advisory": "GHSA-wwg8-6ffr-h4q2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"status": "affected", "version": ">= 5.0.0, < 5.0.7"}]}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2", "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\"adm_csrf_token\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:57:19.068Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32816", "state": "PUBLISHED", "dateUpdated": "2026-03-20T17:29:42.359Z", "dateReserved": "2026-03-16T17:35:36.696Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:57:19.068Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\"adm_csrf_token\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7."}], "id": "CVE-2026-32816", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:44.380", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-03-20T00:51:46.716553+00:00", "value": {"mitigation_remediation": ["Apply the latest patch (Admidio v5.0.7) to eliminate the missing CSRF validation in role operations.", "Limit the visibility of role UUIDs in the public cards view to reduce the attacker\u2019s ability to discover target roles.", "Restrict the rol_assign_roles permission to trusted, high\u2011privilege accounts to minimize the attack surface."], "summary": {"action": "Patch", "impact": "Privilege Escalation and Data Loss"}, "threat_synthesis": {"affected_systems": "Affected product: Admidio (admidio). Versions 5.0.0 through 5.0.6 inclusive are vulnerable. The issue is fixed in version 5.0.7. No specific version ranges are listed beyond this range.", "description_and_impact": "Admidio versions 5.0.0 through 5.0.6 lack CSRF validation for delete, activate, and deactivate actions on organizational roles. Because the server does not check the anti\u2011CSRF token provided in the POST body, an attacker can submit a forged form from any external page that targets a role identified by its UUID. If the victim user possesses the rol_assign_roles right, the request will permanently delete the role, cascade removal of all memberships, event associations, and rights, or silently activate or deactivate entire groups. The consequence is loss of access to documents, mailing lists, events, and overall disruption of business processes. Key detail from CVE description: \"Role deletion is permanent and cascades to all memberships, event associations, and rights data.\", and the vulnerability is explicitly noted as a missing CSRF token.", "risk_and_exploitability": "The CVSS score of 5.7 indicates moderate severity. EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. According to the CVE description, an attacker can craft a malicious form on an external web page to deceive a user with the appropriate role\u2011assignment permission into submitting the request. No additional conditions such as session hijacking are required beyond the presence of that permission. The lack of CSRF validation therefore simplifies exploitation and presents a clear risk to any user who can be persuaded to interact with the forged form."}}}}, "created": "2026-03-20T08:54:30.514762+00:00", "updated": "2026-03-20T10:43:58.304038+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}