CVE-2026-32755
Received Received - Intake
CSRF Vulnerability in Admidio Allows Unauthorized Membership Modification

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32755
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
admidio admidio to 5.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Admidio versions 5.0.6 and below, specifically in the save_membership action within the modules/profile/profile_function.php file. The action saves changes to a member's role membership start and end dates but fails to validate the CSRF (Cross-Site Request Forgery) token.

While other actions like stop_membership and remove_former_membership check the CSRF token, save_membership does not. Because membership UUIDs are visible in the HTML source to authenticated users, an attacker can craft a malicious POST form on an external page and trick a role leader into submitting it.

This allows the attacker to silently alter membership dates for any member of roles the victim leads without confirmation, notification, or administrative approval.

Impact Analysis

The vulnerability allows an attacker to exploit a role leader's session via CSRF to manipulate membership dates of any member within roles the victim leads.

  • Terminate access by backdating membership end dates.
  • Covertly extend unauthorized access by backdating membership start dates.
  • Revoke role-restricted features without any confirmation or notification.

All these actions can be done silently, potentially disrupting user access and role management without administrative oversight.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Admidio to version 5.0.7 or later, where the issue has been fixed.

Until the upgrade can be applied, restrict role leaders' access or monitor for suspicious changes to membership dates, as the vulnerability allows CSRF attacks to silently alter membership roles.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart