cvedb.io
CVE-2026-32818
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-03-19T23:16:44.543 · Last modified 2026-06-17T10:36:24.277

Summary

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID. This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications. Any logged-in user can permanently and irreversibly delete any forum topic (including all its posts) or any individual post by simply knowing its UUID (which is publicly visible in

Affected products

admidio — admidio

Does this affect you?

Add your gear to cvedb and we'll alert you only when admidio ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.