GHSA-g375-5wmp-xr78: Admidio is Missing Authorization on Forum Topic and Post Deletion

March 16, 2026

The forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID.

This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications.

References

github.com/Admidio/admidio
github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78
github.com/advisories/GHSA-g375-5wmp-xr78

Code Behaviors & Features

Detect and mitigate GHSA-g375-5wmp-xr78 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →