Admidio is Missing Authorization on Forum Topic and Post Deletion
Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID. This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications. Any logged-in user can permanently and irreversibly delete any forum topic (including all its posts) or any individual post by simply knowing its UUID (which is publicly visible in URLs), completely bypassing authorization checks. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Admidio 5.0.0–5.0.6 forum module lacks authorization checks on delete actions, allowing any authenticated user to permanently delete any topic or post via its UUID.
Vulnerability
Description
CVE-2026-32818 is a missing authorization vulnerability in the forum module of Admidio, an open-source user management system. In versions 5.0.0 through 5.0.6, the topic_delete and post_delete actions in forum.php actions validate only the CSRF token but never call the isEditable() or isEditable()` methods that check administrator status or ownership. This means any authenticated user with forum access can permanently delete any forum topic (including all its posts) or any individual post by providing its UUID [1][2].
Exploitation
An attacker needs only a valid login and knowledge of the target's UUID, which is publicly visible in URLs. No special privileges are required beyond basic forum access. The delete operations are triggered via POST requests with a valid CSRF token, but since the token is tied to the session and can be obtained from the page, the attack is straightforward [2]. The save/edit operations in the same module properly enforce isAdministratorForum() and ownership checks, making the inconsistency in the delete path the core flaw [1][2].
Impact
Successful exploitation results in irreversible loss of forum content. An attacker can delete any topic (and all its posts) or any individual post, potentially disrupting community discussions, removing important announcements, or causing data loss. The deletion is permanent and cannot be undone through the application interface [1][2].
Mitigation
The issue has been fixed in Admidio version 5.0.7, released on 2026-03-19. Users are strongly recommended to upgrade immediately. No workarounds are documented; the fix adds proper authorization checks to the delete handlers [1][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-g375-5wmp-xr78ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32818ghsaADVISORY
- github.com/Admidio/admidio/releases/tag/v5.0.7ghsax_refsource_MISCWEB
- github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.