プラットフォーム
php
コンポーネント
admidio/admidio
修正版
5.0.1
5.0.7
CVE-2026-32816 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting admidio/admidio versions up to 5.0.6. This flaw allows an attacker to manipulate organizational roles within the system, potentially leading to unauthorized changes. The vulnerability stems from a lack of CSRF token validation in the delete, activate, and deactivate modes. A fix is available in version 5.0.7.
An attacker can exploit this CSRF vulnerability by crafting a malicious HTML page containing a forged POST request. If a user with the rol_as role visits this page while authenticated in admidio, the attacker can trigger actions such as deleting, activating, or deactivating organizational roles. The attacker only needs to discover a role UUID, which is potentially visible in the public cards view if the module is publicly accessible. Successful exploitation could result in unauthorized modifications to user permissions and access controls, potentially compromising the integrity of the admidio system.
This vulnerability was publicly disclosed on 2026-03-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score suggests a moderate risk of exploitation, particularly in environments where admidio is publicly accessible and role UUIDs are exposed.
Organizations using admidio/admidio versions 5.0.6 and earlier, particularly those with publicly accessible modules or those that have not implemented robust access controls, are at risk. Shared hosting environments where multiple users share the same admidio instance are also particularly vulnerable.
• php / server:
find /var/www/html/admidio/modules/groups-roles/ -name groups_roles.php -print0 | xargs -0 grep -i "adm_csrf_token"• php / server:
journalctl -u php-fpm | grep -i "adm_csrf_token"• generic web:
Use a web proxy or browser extension to monitor network traffic and identify POST requests to modules/groups-roles/groups_roles.php without a valid CSRF token.
disclosure
エクスプロイト状況
EPSS
0.02% (4% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-32816 is to upgrade admidio/admidio to version 5.0.7 or later, which includes the necessary CSRF token validation. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block suspicious POST requests targeting the vulnerable endpoints (modules/groups-roles/groups_roles.php). Carefully review user access controls and ensure the cards view is not publicly accessible if it exposes role UUIDs. After upgrading, confirm the fix by attempting to trigger the vulnerable actions with a forged POST request and verifying that the action is blocked.
Admidio をバージョン 5.0.7 以降にアップデートしてください。このバージョンは、ロールの削除、有効化、および無効化アクションにおける Cross-Site Request Forgery (CSRF) の脆弱性を修正します。アップデートにより、攻撃者が権限なしにロールアクションを操作することを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-32816 is a Cross-Site Request Forgery (CSRF) vulnerability in admidio/admidio versions up to 5.0.6, allowing attackers to manipulate organizational roles.
You are affected if you are using admidio/admidio version 5.0.6 or earlier. Upgrade to 5.0.7 to mitigate the risk.
Upgrade admidio/admidio to version 5.0.7 or later. Consider a WAF rule as a temporary workaround.
There is no confirmed active exploitation of CVE-2026-32816 at this time, but the vulnerability is publicly known.
Refer to the admidio/admidio project's official website or GitHub repository for the latest security advisories.