FKIE_CVE-2026-32755

Vulnerability from fkie_nvd - Published: 2026-03-19 23:16 - Updated: 2026-03-23 19:11
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Summary
Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.
References
security-advisories@github.comhttps://github.com/Admidio/admidio/releases/tag/v5.0.7Product, Release Notes
security-advisories@github.comhttps://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gxExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
admidio admidio *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27",
              "versionEndExcluding": "5.0.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member\u0027s role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader\u0027s session can be silently exploited via CSRF to manipulate any member\u0027s membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7."
    },
    {
      "lang": "es",
      "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. En las versiones 5.0.6 e inferiores, la acci\u00f3n save_membership en modules/profile/profile_function.php guarda los cambios en las fechas de inicio y fin de la membres\u00eda de rol de un miembro, pero no valida el token CSRF. El gestor comprueba stop_membership y remove_former_membership contra el token CSRF, pero omite save_membership de esa comprobaci\u00f3n. Debido a que los UUID de membres\u00eda aparecen en el c\u00f3digo fuente HTML visible para los usuarios autenticados, un atacante puede incrustar un formulario POST manipulado en cualquier p\u00e1gina externa y enga\u00f1ar a un l\u00edder de rol para que lo env\u00ede, alterando silenciosamente las fechas de membres\u00eda para cualquier miembro de los roles que la v\u00edctima lidera. La sesi\u00f3n de un l\u00edder de rol puede ser explotada silenciosamente a trav\u00e9s de CSRF para manipular las fechas de membres\u00eda de cualquier miembro, terminando el acceso al retroceder la fecha, extendiendo encubiertamente el acceso no autorizado o revocando caracter\u00edsticas restringidas por rol, todo sin confirmaci\u00f3n, notificaci\u00f3n o aprobaci\u00f3n administrativa. Este problema ha sido solucionado en la versi\u00f3n 5.0.7."
    }
  ],
  "id": "CVE-2026-32755",
  "lastModified": "2026-03-23T19:11:15.950",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-19T23:16:44.203",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.