Description

Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's membership dates, terminating access by backdating, covertly extending unauthorized access, or revoking role-restricted features, all without confirmation, notification, or administrative approval. This issue has been fixed in version 5.0.7.

INFO

Published Date :

2026-03-19T22:53:09.081Z

Last Modified :

2026-03-19T22:53:09.081Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32755 vulnerability.

Vendors Products
Admidio
  • Admidio
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32755.

URL Resource
https://github.com/Admidio/admidio/releases/tag/v5.0.7 cve-icon cve-icon
https://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact