Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID. This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications. Any logged-in user can permanently and irreversibly delete any forum topic (including all its posts) or any individual post by simply knowing its UUID (which is publicly visible in URLs), completely bypassing authorization checks. This issue has been fixed in version 5.0.7.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Forum Content Deletion
Action: Immediate Patch
AI Analysis

Impact

Admidio versions 5.0.0 through 5.0.6 allow any authenticated user with forum access to permanently delete any forum topic or individual post by supplying its UUID. The module only verifies a CSRF token before deletion, performing no authorization check, which means users can irreversibly remove content they should not be able to alter, undermining the integrity of the discussion data.

Affected Systems

The vulnerability affects the Admidio user management solution, specifically the forum module in releases 5.0.0 up to 5.0.6. Administrators and ordinary users with forum privileges can trigger deletions; the issue is resolved in version 5.0.7 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, and the EPSS score of less than 1% suggests low overall exploitation probability. Because any authenticated user can delete content by knowing a visible UUID, the threat vector is authenticated web access; no privileged escalation is required. The vulnerability is not listed in CISA's KEV catalog. While the risk to confidentiality is minimal, the potential for irreversible data loss and loss of forum integrity makes it a significant operational concern.

Generated by OpenCVE AI on March 23, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.7 or later to eliminate the missing authorization check.
  • If an upgrade is delayed, restrict forum access to trusted users and monitor for unexpected deletion activity.
  • Verify that users cannot manually craft URLs to delete content, and consider implementing additional server-side authorization checks as a temporary safeguard.

Generated by OpenCVE AI on March 23, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g375-5wmp-xr78 Admidio is Missing Authorization on Forum Topic and Post Deletion
History

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 19 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID. This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications. Any logged-in user can permanently and irreversibly delete any forum topic (including all its posts) or any individual post by simply knowing its UUID (which is publicly visible in URLs), completely bypassing authorization checks. This issue has been fixed in version 5.0.7.
Title Admidio is Missing Authorization on Forum Topic and Post Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:25:10.515Z

Reserved: 2026-03-16T17:35:36.696Z

Link: CVE-2026-32818

cve-icon Vulnrichment

Updated: 2026-03-20T20:25:00.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:44.543

Modified: 2026-03-23T18:47:49.850

Link: CVE-2026-32818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:09Z

Weaknesses