Platform
php
Component
admidio/admidio
Opgelost in
5.0.1
5.0.7
CVE-2026-32816 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting admidio/admidio versions up to 5.0.6. This flaw allows an attacker to manipulate organizational roles within the system, potentially leading to unauthorized changes. The vulnerability stems from a lack of CSRF token validation in the delete, activate, and deactivate modes. A fix is available in version 5.0.7.
An attacker can exploit this CSRF vulnerability by crafting a malicious HTML page containing a forged POST request. If a user with the rol_as role visits this page while authenticated in admidio, the attacker can trigger actions such as deleting, activating, or deactivating organizational roles. The attacker only needs to discover a role UUID, which is potentially visible in the public cards view if the module is publicly accessible. Successful exploitation could result in unauthorized modifications to user permissions and access controls, potentially compromising the integrity of the admidio system.
This vulnerability was publicly disclosed on 2026-03-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score suggests a moderate risk of exploitation, particularly in environments where admidio is publicly accessible and role UUIDs are exposed.
Organizations using admidio/admidio versions 5.0.6 and earlier, particularly those with publicly accessible modules or those that have not implemented robust access controls, are at risk. Shared hosting environments where multiple users share the same admidio instance are also particularly vulnerable.
• php / server:
find /var/www/html/admidio/modules/groups-roles/ -name groups_roles.php -print0 | xargs -0 grep -i "adm_csrf_token"• php / server:
journalctl -u php-fpm | grep -i "adm_csrf_token"• generic web:
Use a web proxy or browser extension to monitor network traffic and identify POST requests to modules/groups-roles/groups_roles.php without a valid CSRF token.
disclosure
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-32816 is to upgrade admidio/admidio to version 5.0.7 or later, which includes the necessary CSRF token validation. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block suspicious POST requests targeting the vulnerable endpoints (modules/groups-roles/groups_roles.php). Carefully review user access controls and ensure the cards view is not publicly accessible if it exposes role UUIDs. After upgrading, confirm the fix by attempting to trigger the vulnerable actions with a forged POST request and verifying that the action is blocked.
Actualiseer Admidio naar versie 5.0.7 of hoger. Deze versie corrigeert de Cross-Site Request Forgery (CSRF) kwetsbaarheid in de acties voor het verwijderen, activeren en deactiveren van rollen. De update voorkomt dat een aanvaller acties met rollen manipuleert zonder autorisatie.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-32816 is a Cross-Site Request Forgery (CSRF) vulnerability in admidio/admidio versions up to 5.0.6, allowing attackers to manipulate organizational roles.
You are affected if you are using admidio/admidio version 5.0.6 or earlier. Upgrade to 5.0.7 to mitigate the risk.
Upgrade admidio/admidio to version 5.0.7 or later. Consider a WAF rule as a temporary workaround.
There is no confirmed active exploitation of CVE-2026-32816 at this time, but the vulnerability is publicly known.
Refer to the admidio/admidio project's official website or GitHub repository for the latest security advisories.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.