Platform
php
Component
admidio/admidio
Fixed in
5.0.1
5.0.7
CVE-2026-32816 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting admidio/admidio versions up to 5.0.6. This flaw allows an attacker to manipulate organizational roles within the system, potentially leading to unauthorized changes. The vulnerability stems from a lack of CSRF token validation in the delete, activate, and deactivate modes. A fix is available in version 5.0.7.
An attacker can exploit this CSRF vulnerability by crafting a malicious HTML page containing a forged POST request. If a user with the rol_as role visits this page while authenticated in admidio, the attacker can trigger actions such as deleting, activating, or deactivating organizational roles. The attacker only needs to discover a role UUID, which is potentially visible in the public cards view if the module is publicly accessible. Successful exploitation could result in unauthorized modifications to user permissions and access controls, potentially compromising the integrity of the admidio system.
This vulnerability was publicly disclosed on 2026-03-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score suggests a moderate risk of exploitation, particularly in environments where admidio is publicly accessible and role UUIDs are exposed.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32816 is to upgrade admidio/admidio to version 5.0.7 or later, which includes the necessary CSRF token validation. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block suspicious POST requests targeting the vulnerable endpoints (modules/groups-roles/groups_roles.php). Carefully review user access controls and ensure the cards view is not publicly accessible if it exposes role UUIDs. After upgrading, confirm the fix by attempting to trigger the vulnerable actions with a forged POST request and verifying that the action is blocked.
Update Admidio to version 5.0.7 or higher. This version fixes the Cross-Site Request Forgery (CSRF) vulnerability in role deletion, activation, and deactivation actions. The update will prevent an attacker from manipulating role actions without authorization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32816 is a Cross-Site Request Forgery (CSRF) vulnerability in admidio/admidio versions up to 5.0.6, allowing attackers to manipulate organizational roles.
You are affected if you are using admidio/admidio version 5.0.6 or earlier. Upgrade to 5.0.7 to mitigate the risk.
Upgrade admidio/admidio to version 5.0.7 or later. Consider a WAF rule as a temporary workaround.
There is no confirmed active exploitation of CVE-2026-32816 at this time, but the vulnerability is publicly known.
Refer to the admidio/admidio project's official website or GitHub repository for the latest security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.