Description
Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.
Published: 2026-03-19
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized alteration of role membership dates leading to unauthorized access or revocation
Action: Immediate Patch
AI Analysis

Impact

Admidio, an open‑source user management platform, has a missing CSRF validation in the save_membership action within the profile module. The bug allows a malicious actor to craft a form that, when submitted by an authenticated role leader, silently changes a member’s role start or end dates. This can prematurely end a member’s access, grant extended privileges, or remove authorized features without the user’s awareness or any administrative confirmation. The underlying weakness corresponds to CWE‑352, which describes a cross‑site request forgery failure.

Affected Systems

The vulnerability affects Admidio versions 5.0.6 and earlier. Version 5.0.7 includes the fix. Users of the listed product should verify their installation corresponds to a version older than 5.0.7.

Risk and Exploitability

The CVSS score of 5.7 classifies the issue as medium severity. The EPSS score of less than 1% suggests a low exploitation probability, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. However, the attack vector is inferred to be remote: an attacker can host an external page that automatically posts to the victim’s authenticated session, exploiting the missing CSRF token. The successful exploitation requires that the victim is a role leader with an active session; once triggered, the attacker can silently modify any member’s role membership dates within the victim’s purview.

Generated by OpenCVE AI on March 23, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Admidio 5.0.7 patch or later

Generated by OpenCVE AI on March 23, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h8gr-qwr6-m9gx Admidio is Missing CSRF Protection on Role Membership Date Changes
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 19 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.
Title Admidio is Missing CSRF Protection on Role Membership Date Changes
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:52:11.101Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32755

cve-icon Vulnrichment

Updated: 2026-03-25T14:51:57.427Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:44.203

Modified: 2026-03-23T19:11:15.950

Link: CVE-2026-32755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:14Z

Weaknesses