CVE-2026-32816
CSRF Vulnerability in Admidio Roles Allows Permanent Role Deletion
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | From 5.0.0 (inc) to 5.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Admidio versions 5.0.0 through 5.0.6 in the modules/groups-roles/groups_roles.php file. The delete, activate, and deactivate modes perform destructive changes on organizational roles but do not validate an anti-CSRF token on the server side. Although the client-side UI sends a CSRF token, the server ignores it for these actions. An attacker who can find a role UUID, which is publicly visible, can trick a user with role assignment rights into submitting forged requests that delete or toggle roles without their consent.
Role deletion is permanent and cascades to all related memberships, event associations, and rights data. The attacker can cause mass revocation of access and silently activate or deactivate entire groups. The vulnerability can be exploited by embedding a forged POST form on an external page and harvesting role UUIDs from the public cards view. There is no undo option except restoring the database. This issue was fixed in version 5.0.7.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to permanent deletion of organizational roles and mass revocation of all associated memberships, event access, document access, and mailing list rights. It can also result in unauthorized activation or deactivation of entire groups. This can disrupt organizational operations, cause loss of access for many users, and require a database restore to recover.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Admidio version 5.0.7. Immediate mitigation involves upgrading your Admidio installation to version 5.0.7 or later.
Until the upgrade is applied, restrict access to the modules/groups-roles/groups_roles.php functionality to trusted users only, especially those with the rol_assign_roles right.
Consider monitoring and limiting public access to the cards view where role UUIDs are exposed, to reduce the risk of attackers harvesting these identifiers.