CVE-2026-32818

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.0 through 5.0.6

Description Admidio is an open-source user management solution. The forum module does not verify if the current user has permission to delete forum topics or posts. The topic delete and post delete actions in forum.php only validate the CSRF token but do not perform authorization checks before calling the delete() function. Any authenticated user with forum access can delete any topic (and all its posts) or any individual post by providing its UUID, which is publicly visible in URLs. This bypasses authorization checks and is inconsistent with save/edit operations, which correctly verify administrator status and ownership. The Topic class has an isEditable() method that checks for administrator privileges and category access, but it is not called during topic deletion. Similarly, post deletion lacks checks to ensure the user is either a forum administrator or the author of the post. This allows any logged-in user to permanently and irreversibly delete forum content.

Recommendations Versions 5.0.0 through 5.0.6: Add an authorization check to the topic delete action in forum.php to ensure the user has permission to delete the topic. Versions 5.0.0 through 5.0.6: Add an authorization check to the post delete action in forum.php to ensure the user is either a forum administrator or the author of the post before allowing deletion.