Admidio is Missing CSRF Protection on Role Membership Date Changes
Description
Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Admidio <=5.0.6 lets attackers alter role membership dates by tricking role leaders, enabling unauthorized access or privilege changes.
Vulnerability
Description Admidio versions 5.0.6 and below contain a Cross-Site Request Forgery (CSRF) vulnerability in the save_membership action of modules/profile/profile_function.php. The code validates CSRF tokens for stop_membership and remove_former_membership but omits this check for save_membership, allowing an attacker to force a victim's browser to submit unauthorized membership date changes [1][2].
Attack
Vector An attacker can embed a crafted HTML form on any external website that automatically submits POST data to the vulnerable Admidio endpoint. The form requires valid membership UUIDs, which are visible in the page source to authenticated users. The attacker tricks a role leader into submitting the form, for example via a phishing link or malicious ad, exploiting the victim's active session [2].
Impact
By altering membership start and end dates, an attacker can effectively terminate a user's access by backdating, covertly extend unauthorized access, or revoke role-restricted features. These changes occur silently without confirmation, notification, or administrative approval, potentially leading to privilege escalation or denial of service [1].
Mitigation
The issue has been fixed in Admidio version 5.0.7 [4]. Users should upgrade immediately to prevent exploitation. No workaround is available for earlier versions.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | < 5.0.7 | 5.0.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-h8gr-qwr6-m9gxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32755ghsaADVISORY
- github.com/Admidio/admidio/releases/tag/v5.0.7ghsax_refsource_MISCWEB
- github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.