GHSA-WWG8-6FFR-H4Q2: GHSA-wwg8-6ffr-h4q2: Cross-Site Request Forgery in Admidio Role Management

Source: Dev.to

Vulnerability Overview

• Vulnerability ID: GHSA-WWG8-6FFR-H4Q2
• CVSS v3.1 Base Score: 5.7 (Medium)
• Published: 2026-03-16
• Type: Cross‑Site Request Forgery (CSRF) – CWE‑352

Admidio versions 5.0.0 through 5.0.6 contain a CSRF vulnerability in the organizational role‑management module. The application does not validate anti‑CSRF tokens for state‑changing operations such as role deletion, activation, and deactivation. An attacker can trick a privileged user into sending a malicious request, allowing unauthorized deletion or modification of organizational roles.

Affected Component

• Package: admidio/admidio
• Version range: `>= 5.0.0,

### Additional Mitigations

- Implement network‑level logging to detect unusual `Referer` headers targeting role‑management endpoints.  
- Educate administrative staff to avoid clicking external links while logged into Admidio.  
- Review access logs for any historical exploitation of this vulnerability.

## References

- **GitHub Security Advisory:** [GHSA‑wwg8‑6ffr‑h4q2](https://github.com/admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2)  
- **Admidio Official Repository:**   
- **OSV Entry:** [GHSA‑wwg8‑6ffr‑h4q2](https://osv.dev/vulnerability/GHSA-wwg8-6ffr-h4q2)