CVE-2026-32755
- Source
- https://cve.org/CVERecord?id=CVE-2026-32755
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32755.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32755
- Aliases
- Published
- 2026-03-19T22:53:09.081Z
- Modified
- 2026-04-10T05:42:28.763076Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Admidio is Missing CSRF Protection on Role Membership Date Changes
- Details
-
Admidio is an open-source user management solution. In versions 5.0.6 and below, the savemembership action in modules/profile/profilefunction.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stopmembership and removeformermembership against the CSRF token but omits savemembership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.
- Database specific
{ "cwe_ids": [ "CWE-352" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32755.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/admidio/admidio
Affected ranges
- Type
- GIT
- Repo
- https://github.com/admidio/admidio
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed