Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions
Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST["adm_csrf_token"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Admidio 5.0.0-5.0.6 lacks CSRF validation for role delete/activate/deactivate, allowing attackers to trick privileged users into permanently deleting roles using forged POST requests.
Vulnerability
Admidio versions 5.0.0 through 5.0.6 contain a Cross-Site Request Forgery (CSRF) vulnerability in the delete, activate, and deactivate modes of modules/groups-roles/groups_roles.php. The server-side code performs destructive state changes on organizational roles without validating the adm_csrf_token POST parameter, even though the client-side UI includes it. This oversight allows an attacker to forge requests on behalf of an authenticated user [1][2].
Exploitation
An attacker can discover a role UUID from the publicly accessible cards view if the module is exposed. By embedding a malicious POST form on an external site, the attacker can trick any user with the rol_assign_roles right into submitting the request. The server processes the action without any CSRF check, enabling unauthorized role deletion, activation, or deactivation [2].
Impact
Successful exploitation can lead to permanent deletion of organizational roles, cascading to all associated memberships, event associations, and rights data. Activating or deactivating roles can disrupt access to events, documents, and mailing lists. The only recovery method is a database restore [1][2].
Mitigation
The vulnerability has been fixed in Admidio version 5.0.7. Users are strongly advised to upgrade immediately to protect against potential attacks [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wwg8-6ffr-h4q2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32816ghsaADVISORY
- github.com/Admidio/admidio/releases/tag/v5.0.7ghsax_refsource_MISCWEB
- github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.