CVE-2026-32755

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.6 and below

Description Admidio is an open-source user management solution. The save membership action in modules/profile/profile function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop membership and remove former membership against the CSRF token but omits save membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. The allowedToAssignMembers() check grants write access to any user who is an administrator or a leader of the target role. The membership date form is created via FormPresenter, which automatically injects a CSRF token hidden field into every form, but the server-side save membership handler does not validate it.

Recommendations Add save membership to the existing CSRF validation check in modules/profile/profile function.php, lines 40-42. Use the form-object validation pattern, consistent with other write endpoints.