CVE-2026-32816

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.0 through 5.0.6

Description Admidio is an open-source user management solution. The delete, activate, and deactivate modes in modules/groups-roles/groups roles.php do not validate an anti-CSRF token, despite the client-side UI including one in POST requests. An attacker can discover a role UUID (visible in the public cards view) and embed a forged POST form on an external page to trick a user with the rol assign roles right into deleting or toggling roles. Role deletion is permanent and cascades to all memberships, event associations, and rights data. The delete, activate, and deactivate modes receive no CSRF protection, while the save mode is protected. The server-side handlers ignore $ POST["adm csrf token"] for the three vulnerable modes. The role UUIDs are discoverable without authentication. The delete() function permanently removes the role record, all memberships, event associations, and access-right entries. An attacker can exploit this to permanently delete roles, revoke memberships, or silently activate/deactivate groups.

Recommendations Add SecurityUtils::validateCsrfToken($ POST["adm csrf token"]) at the beginning of each vulnerable case in modules/groups-roles/groups roles.php.