{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-32755", "tracking": { "current_release_date": "2026-03-25T15:39:56.254135Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-32755", "initial_release_date": "2026-03-16T21:39:54.026836Z", "revision_history": [ { "date": "2026-03-16T21:39:54.026836Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-16T21:40:01.987608Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-19T15:31:03.438608Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T18:20:49.435272Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T18:20:53.643272Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:21:22.826595Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T18:21:26.161889Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-20T21:41:55.970462Z", "number": "8", "summary": "References created (2)." }, { "date": "2026-03-20T21:59:44.502768Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T21:59:47.639648Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-21T13:46:46.812877Z", "number": "11", "summary": "References removed (2)." }, { "date": "2026-03-22T00:52:09.960831Z", "number": "12", "summary": "References created (2)." }, { "date": "2026-03-22T11:25:11.501720Z", "number": "13", "summary": "References removed (2)." }, { "date": "2026-03-23T00:54:20.539331Z", "number": "14", "summary": "References created (2)." }, { "date": "2026-03-23T05:16:17.758701Z", "number": "15", "summary": "References removed (2)." }, { "date": "2026-03-24T13:47:08.349524Z", "number": "16", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-24T13:47:11.332013Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:56:43.443988Z", "number": "18", "summary": "References created (2)." }, { "date": "2026-03-24T20:57:15.697288Z", "number": "19", "summary": "NCSC Score updated." }, { "date": "2026-03-25T15:39:53.059797Z", "number": "20", "summary": "Unknown change." }, { "date": "2026-03-25T15:39:54.690045Z", "number": "21", "summary": "NCSC Score updated." } ], "status": "interim", "version": "21" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<5.0.7", "product": { "name": "vers:unknown/<5.0.7", "product_id": "CSAFPID-5895587", "product_identification_helper": { "cpe": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Admidio" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<5.0.7", "product": { "name": "vers:unknown/<5.0.7", "product_id": "CSAFPID-5874020" } } ], "category": "product_name", "name": "admidio" } ], "category": "vendor", "name": "Admidio" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-32755", "cwe": { "id": "CWE-352", "name": "Cross-Site Request Forgery (CSRF)" }, "notes": [ { "category": "description", "text": "## Summary\n\nThe `save_membership` action in `modules/profile/profile_function.php` saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks `stop_membership` and `remove_former_membership` against the CSRF token but omits `save_membership` from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads.\n\n## Details\n\n### CSRF Check Is Absent for save_membership\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/profile_function.php`, lines 40-42\n\nThe CSRF guard covers only two of the three mutative modes:\n\n```php\nif (in_array($getMode, array('stop_membership', 'remove_former_membership'))) {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n}\n```\n\nThe `save_membership` mode is missing from this array. The handler then proceeds to read dates from `$_POST` and update the database without any token verification:\n\n```php\n} elseif ($getMode === 'save_membership') {\n $postMembershipStart = admFuncVariableIsValid($_POST, 'adm_membership_start_date', 'date', array('requireValue' => true));\n $postMembershipEnd = admFuncVariableIsValid($_POST, 'adm_membership_end_date', 'date', array('requireValue' => true));\n\n $member = new Membership($gDb);\n $member->readDataByUuid($getMemberUuid);\n $role = new Role($gDb, (int)$member->getValue('mem_rol_id'));\n\n // check if user has the right to edit this membership\n if (!$role->allowedToAssignMembers($gCurrentUser)) {\n throw new Exception('SYS_NO_RIGHTS');\n }\n // ... validates dates ...\n $role->setMembership($user->getValue('usr_id'), $postMembershipStart, $postMembershipEnd, ...);\n echo 'success';\n}\n```\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/profile_function.php`, lines 131-169\n\n### The Form Does Generate a CSRF Token (Not Validated)\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/roles_functions.php`, lines 218-241\n\nThe membership date form is created via `FormPresenter`, which automatically injects an `adm_csrf_token` hidden field into every form. However, the server-side `save_membership` handler never retrieves or validates this token. An attacker's forged form does not need to include the token at all, since the server does not check it.\n\n### Who Can Be Exploited as the CSRF Victim\n\nFile: `D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php`, lines 98-121\n\nThe `allowedToAssignMembers()` check grants write access to:\n- Any user who is `isAdministratorRoles()` (role administrators), or\n- Any user who is a leader of the target role when the role has `rol_leader_rights` set to `ROLE_LEADER_MEMBERS_ASSIGN` or `ROLE_LEADER_MEMBERS_ASSIGN_EDIT`\n\nRole leaders are not system administrators. They are regular members who have been designated as group leaders (e.g., a sports team captain or committee chair). This represents a low-privilege attack surface.\n\n### UUIDs Are Discoverable from HTML Source\n\nThe save URL for the membership date form is embedded in the profile page HTML:\n\n```\n/adm_program/modules/profile/profile_function.php?mode=save_membership&user_uuid=&member_uuid=\n```\n\nAny authenticated member who can view a profile page can extract both UUIDs from the page source.\n\n## PoC\n\nThe attacker hosts the following HTML page and tricks a role leader into visiting it while logged in to Admidio:\n\n```html\n\n\n\n
&member_uuid=\">\n \n \n \n\n\n```\n\nExpected result: The target member's role membership dates are overwritten to 2000-01-01 through 2000-01-02, effectively terminating their active membership immediately (end date is in the past).\n\nNote: No `adm_csrf_token` field is required because the server does not validate it for `save_membership`.\n\n## Impact\n\n- **Unauthorized membership date manipulation:** A role leader's session can be silently exploited to change start and end dates for any member of roles they lead. Setting the end date to a past date immediately terminates the member's active participation.\n- **Effective access revocation:** Membership in roles controls access to role-restricted features (events visible only to role members, document folders with upload rights, and mailing list memberships). Revoking membership via CSRF removes these access rights.\n- **Covert escalation:** An attacker could also extend a restricted membership period beyond its authorized end date, maintaining access for a user who should have been deactivated.\n- **No administrative approval required:** The impact occurs silently on the victim's session with no confirmation dialog or notification email.\n\n## Recommended Fix\n\n### Fix 1: Add `save_membership` to the existing CSRF validation check\n\n```php\n// File: modules/profile/profile_function.php, lines 40-42\nif (in_array($getMode, array('stop_membership', 'remove_former_membership', 'save_membership'))) {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n}\n```\n\n### Fix 2: Use the form-object validation pattern (consistent with other write endpoints)\n\n```php\n} elseif ($getMode === 'save_membership') {\n // Validate CSRF via form object (consistent pattern used by DocumentsService, etc.)\n $membershipForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);\n $formValues = $membershipForm->validate($_POST);\n\n $postMembershipStart = $formValues['adm_membership_start_date'];\n $postMembershipEnd = $formValues['adm_membership_end_date'];\n // ... rest of save logic unchanged\n}\n```", "title": "github - https://github.com/advisories/GHSA-h8gr-qwr6-m9gx" }, { "category": "description", "text": "## Summary\n\nThe `save_membership` action in `modules/profile/profile_function.php` saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks `stop_membership` and `remove_former_membership` against the CSRF token but omits `save_membership` from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads.\n\n## Details\n\n### CSRF Check Is Absent for save_membership\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/profile_function.php`, lines 40-42\n\nThe CSRF guard covers only two of the three mutative modes:\n\n```php\nif (in_array($getMode, array('stop_membership', 'remove_former_membership'))) {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n}\n```\n\nThe `save_membership` mode is missing from this array. The handler then proceeds to read dates from `$_POST` and update the database without any token verification:\n\n```php\n} elseif ($getMode === 'save_membership') {\n $postMembershipStart = admFuncVariableIsValid($_POST, 'adm_membership_start_date', 'date', array('requireValue' => true));\n $postMembershipEnd = admFuncVariableIsValid($_POST, 'adm_membership_end_date', 'date', array('requireValue' => true));\n\n $member = new Membership($gDb);\n $member->readDataByUuid($getMemberUuid);\n $role = new Role($gDb, (int)$member->getValue('mem_rol_id'));\n\n // check if user has the right to edit this membership\n if (!$role->allowedToAssignMembers($gCurrentUser)) {\n throw new Exception('SYS_NO_RIGHTS');\n }\n // ... validates dates ...\n $role->setMembership($user->getValue('usr_id'), $postMembershipStart, $postMembershipEnd, ...);\n echo 'success';\n}\n```\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/profile_function.php`, lines 131-169\n\n### The Form Does Generate a CSRF Token (Not Validated)\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/roles_functions.php`, lines 218-241\n\nThe membership date form is created via `FormPresenter`, which automatically injects an `adm_csrf_token` hidden field into every form. However, the server-side `save_membership` handler never retrieves or validates this token. An attacker's forged form does not need to include the token at all, since the server does not check it.\n\n### Who Can Be Exploited as the CSRF Victim\n\nFile: `D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php`, lines 98-121\n\nThe `allowedToAssignMembers()` check grants write access to:\n- Any user who is `isAdministratorRoles()` (role administrators), or\n- Any user who is a leader of the target role when the role has `rol_leader_rights` set to `ROLE_LEADER_MEMBERS_ASSIGN` or `ROLE_LEADER_MEMBERS_ASSIGN_EDIT`\n\nRole leaders are not system administrators. They are regular members who have been designated as group leaders (e.g., a sports team captain or committee chair). This represents a low-privilege attack surface.\n\n### UUIDs Are Discoverable from HTML Source\n\nThe save URL for the membership date form is embedded in the profile page HTML:\n\n```\n/adm_program/modules/profile/profile_function.php?mode=save_membership&user_uuid=&member_uuid=\n```\n\nAny authenticated member who can view a profile page can extract both UUIDs from the page source.\n\n## PoC\n\nThe attacker hosts the following HTML page and tricks a role leader into visiting it while logged in to Admidio:\n\n```html\n\n\n\n
&member_uuid=\">\n \n \n \n\n\n```\n\nExpected result: The target member's role membership dates are overwritten to 2000-01-01 through 2000-01-02, effectively terminating their active membership immediately (end date is in the past).\n\nNote: No `adm_csrf_token` field is required because the server does not validate it for `save_membership`.\n\n## Impact\n\n- **Unauthorized membership date manipulation:** A role leader's session can be silently exploited to change start and end dates for any member of roles they lead. Setting the end date to a past date immediately terminates the member's active participation.\n- **Effective access revocation:** Membership in roles controls access to role-restricted features (events visible only to role members, document folders with upload rights, and mailing list memberships). Revoking membership via CSRF removes these access rights.\n- **Covert escalation:** An attacker could also extend a restricted membership period beyond its authorized end date, maintaining access for a user who should have been deactivated.\n- **No administrative approval required:** The impact occurs silently on the victim's session with no confirmation dialog or notification email.\n\n## Recommended Fix\n\n### Fix 1: Add `save_membership` to the existing CSRF validation check\n\n```php\n// File: modules/profile/profile_function.php, lines 40-42\nif (in_array($getMode, array('stop_membership', 'remove_former_membership', 'save_membership'))) {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n}\n```\n\n### Fix 2: Use the form-object validation pattern (consistent with other write endpoints)\n\n```php\n} elseif ($getMode === 'save_membership') {\n // Validate CSRF via form object (consistent pattern used by DocumentsService, etc.)\n $membershipForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);\n $formValues = $membershipForm->validate($_POST);\n\n $postMembershipStart = $formValues['adm_membership_start_date'];\n $postMembershipEnd = $formValues['adm_membership_end_date'];\n // ... rest of save logic unchanged\n}\n```", "title": "github - https://api.github.com/advisories/GHSA-h8gr-qwr6-m9gx" }, { "category": "description", "text": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32755" }, { "category": "description", "text": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32755.json" }, { "category": "other", "text": "0.00017", "title": "EPSS" }, { "category": "other", "text": "3.4", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, Is related to CWE-352 (Cross-Site Request Forgery (CSRF)), The value of the most recent EPSS score, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5874020", "CSAFPID-5895587" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-h8gr-qwr6-m9gx" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-h8gr-qwr6-m9gx" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-h8gr-qwr6-m9gx" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32755" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32755.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gx" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-h8gr-qwr6-m9gx" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32755" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5874020", "CSAFPID-5895587" ] } ], "title": "CVE-2026-32755" } ] }