Platform
php
Component
admidio
Fixed in
5.0.8
CVE-2026-32755 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Admidio, an open-source user management solution. This flaw allows an attacker to modify a user's role membership start and end dates without their knowledge. The vulnerability impacts Admidio versions 5.0.6 and earlier, and a fix is available in version 5.0.7.
The core impact of CVE-2026-32755 lies in the potential for unauthorized modification of user roles within an Admidio deployment. An attacker could embed a malicious POST form on a website or email, tricking a role leader into clicking a link or visiting the page. This crafted form would then silently submit a request to Admidio, altering the membership dates of users. This could lead to privilege escalation, denial of access for legitimate users, or other disruptive actions depending on the roles involved. The visibility of membership UUIDs in the HTML source code facilitates this attack, making exploitation relatively straightforward for an attacker with basic web development skills.
CVE-2026-32755 was publicly disclosed on March 19, 2026. There is currently no indication of active exploitation or inclusion on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature and the ease of crafting a CSRF request suggest that PoCs could emerge relatively quickly. The vulnerability's reliance on user interaction makes it less likely to be exploited in automated campaigns, but targeted attacks against role leaders remain a concern.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32755 is to immediately upgrade Admidio to version 5.0.7 or later, which includes the necessary CSRF token validation. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out POST requests to the savemembership endpoint that lack a valid CSRF token. Additionally, educate users about the risks of clicking suspicious links or visiting untrusted websites. Regularly review Admidio's configuration and ensure that user permissions are appropriately restricted to minimize the potential impact of a successful attack. After upgrade, confirm by attempting to submit a crafted POST request to the savemembership endpoint and verifying that the request is rejected due to CSRF token validation.
Update Admidio to version 5.0.7 or higher. This version fixes the Cross-Site Request Forgery (CSRF) vulnerability in the role membership date modification function. The update will prevent attackers from manipulating user membership dates without authorization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32755 is a Cross-Site Request Forgery (CSRF) vulnerability in Admidio versions 5.0.6 and below, allowing attackers to silently modify user membership dates.
You are affected if you are using Admidio version 5.0.6 or earlier. Upgrade to version 5.0.7 to mitigate the risk.
Upgrade Admidio to version 5.0.7 or later. As a temporary workaround, implement a WAF rule to filter requests to the save_membership endpoint.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be targeted.
Refer to the official Admidio security advisory for detailed information and updates: [https://admidio.com/security/admidio-security-advisory-2026-001](https://admidio.com/security/admidio-security-advisory-2026-001)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.