Published
2026-03-18 12:00
Installations of CiviCRM (Standalone) include these default roles: "Everyone", "Administrator", and "Staff".
Previously, the default "Staff" role included permission to administer users. However, this is a powerful permission. Many systems should treat this as this as an "Administrator" permission.
-
Going forward, new deployments will not grant
administer usersto "Staff" by default. - For existing deployments, the original configuration remains. You should consider whether you want to retain or remove this permission. (For removal instructions, see below.)
Security Risk
Critical
Vulnerability
Other
Affected Versions
CiviCRM v5.74.0 - v6.12.0 (Standalone only)
Fixed Versions
CiviCRM v6.12.1, v6.10.3 (ESR), and later (Standalone only)
Publication Date
Solutions
This fix does not require an upgrade. Follow ALL these steps:
- Navigate to "Administer => Users and Permissions => User Roles".
- Find the "Staff" role. In the drilldown menu, right-click "Edit" and open in a new window.
- Use the browser to search the web-page ("Find in Page" or
Ctrl-ForCmd-F). Look for "Administer user accounts". If you find it, remove it. - Save.
Credits
Lassi (lassitemp@proton.me), Seamus Lee (JMA Consulting), Tim Otten (CiviCRM), Benjamin W, Rich Lott (Artful Robot), Luke Stewart (Fuzion)
