Plataforma
php
Componente
admidio
Corrigido em
5.0.8
CVE-2026-32755 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Admidio, an open-source user management solution. This flaw allows an attacker to modify a user's role membership start and end dates without their knowledge. The vulnerability impacts Admidio versions 5.0.6 and earlier, and a fix is available in version 5.0.7.
The core impact of CVE-2026-32755 lies in the potential for unauthorized modification of user roles within an Admidio deployment. An attacker could embed a malicious POST form on a website or email, tricking a role leader into clicking a link or visiting the page. This crafted form would then silently submit a request to Admidio, altering the membership dates of users. This could lead to privilege escalation, denial of access for legitimate users, or other disruptive actions depending on the roles involved. The visibility of membership UUIDs in the HTML source code facilitates this attack, making exploitation relatively straightforward for an attacker with basic web development skills.
CVE-2026-32755 was publicly disclosed on March 19, 2026. There is currently no indication of active exploitation or inclusion on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature and the ease of crafting a CSRF request suggest that PoCs could emerge relatively quickly. The vulnerability's reliance on user interaction makes it less likely to be exploited in automated campaigns, but targeted attacks against role leaders remain a concern.
Organizations using Admidio for user management, particularly those with role-based access control, are at risk. Deployments with a large number of users and frequent role changes are especially vulnerable. Shared hosting environments where multiple users share the same Admidio instance also face increased risk, as an attacker could potentially exploit the vulnerability to affect other users.
• php: Examine Admidio's modules/profile/profilefunction.php file for the absence of CSRF token validation on the savemembership handler. Search for instances of save_membership without corresponding CSRF token checks.
grep -r 'save_membership' /path/to/admidio/modules/profile/profile_function.php | grep -v 'CSRF_TOKEN'• generic web: Monitor access logs for POST requests to /admidio/modules/profile/profile_function.php with suspicious parameters related to membership dates and UUIDs.
• generic web: Check response headers for unexpected changes in user roles or membership status after a user visits a potentially malicious page.
disclosure
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-32755 is to immediately upgrade Admidio to version 5.0.7 or later, which includes the necessary CSRF token validation. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out POST requests to the savemembership endpoint that lack a valid CSRF token. Additionally, educate users about the risks of clicking suspicious links or visiting untrusted websites. Regularly review Admidio's configuration and ensure that user permissions are appropriately restricted to minimize the potential impact of a successful attack. After upgrade, confirm by attempting to submit a crafted POST request to the savemembership endpoint and verifying that the request is rejected due to CSRF token validation.
Atualize Admidio para a versão 5.0.7 ou superior. Esta versão corrige a vulnerabilidade de Cross-Site Request Forgery (CSRF) na função de modificação de datas de associação de funções. A atualização impedirá que atacantes manipulem as datas de associação dos usuários sem autorização.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-32755 is a Cross-Site Request Forgery (CSRF) vulnerability in Admidio versions 5.0.6 and below, allowing attackers to silently modify user membership dates.
You are affected if you are using Admidio version 5.0.6 or earlier. Upgrade to version 5.0.7 to mitigate the risk.
Upgrade Admidio to version 5.0.7 or later. As a temporary workaround, implement a WAF rule to filter requests to the save_membership endpoint.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be targeted.
Refer to the official Admidio security advisory for detailed information and updates: [https://admidio.com/security/admidio-security-advisory-2026-001](https://admidio.com/security/admidio-security-advisory-2026-001)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.