{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32818", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.696Z", "datePublished": "2026-03-19T23:00:40.299Z", "dateUpdated": "2026-03-20T20:25:10.515Z"}, "containers": {"cna": {"title": "Admidio is Missing Authorization on Forum Topic and Post Deletion", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78"}, {"name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": "< 5.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:00:40.299Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID. This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications. Any logged-in user can permanently and irreversibly delete any forum topic (including all its posts) or any individual post by simply knowing its UUID (which is publicly visible in URLs), completely bypassing authorization checks. This issue has been fixed in version 5.0.7."}], "source": {"advisory": "GHSA-g375-5wmp-xr78", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:24:42.705111Z", "id": "CVE-2026-32818", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:25:10.515Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID. This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications. Any logged-in user can permanently and irreversibly delete any forum topic (including all its posts) or any individual post by simply knowing its UUID (which is publicly visible in URLs), completely bypassing authorization checks. This issue has been fixed in version 5.0.7."}], "id": "CVE-2026-32818", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:44.543", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-03-20T00:24:12.931407+00:00", "value": {"mitigation_remediation": ["Upgrade to Admidio version 5.0.7 or later which includes proper authorization checks on delete operations."], "summary": {"action": "Patch", "impact": "Unauthorized Deletion of Forum Data"}, "threat_synthesis": {"affected_systems": "Admidio user\u2011management application, version 5.0.0 through 5.0.6. The issue does not affect later releases (5.0.7 and above).", "description_and_impact": "The bug resides in Admidio versions 5.0.0\u20115.0.6, where the forum module fails to check permissions when deleting topics or posts. The topic_delete and post_delete actions only validate the CSRF token, and do not confirm that the authenticated user is an administrator or the owner of the content. As a result, any logged\u2011in user with forum access can supply the UUID of a topic or post\u2014information that is publicly exposed in URLs\u2014to permanently delete that item and all its associated replies. This leads to irreversible loss of discussion data and can be used to sabotage community content.", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 indicates a moderate to high severity. The vulnerability can be exploited remotely by any authenticated user with forum privileges, with no special local privileges required. Attackers can simply bookmark the URI of a topic or post and issue a DELETE request after providing a valid CSRF token. No exploit attempts are known in the public domain and the vulnerability is not listed in the CISA KEV catalog. The primary attack vector is web\u2011based authentication, making this a readily actionable issue for any organization running an affected version of Admidio."}}}}, "created": "2026-03-20T08:54:28.835372+00:00", "updated": "2026-03-20T10:43:56.682469+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}