CVE-2026-32756

HIGH

Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module

Title source: cna

Description

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.

References (2)

[X_Refsource_Confirm] https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5

[X_Refsource_Misc] https://github.com/Admidio/admidio/releases/tag/v5.0.7

Scores

CVSS v3 8.8

EPSS 0.0004

EPSS Percentile 13.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (3)

admidio/admidio < 5.0.7

admidio/admidio 0 - 5.0.7Packagist

Admidio/admidio < 5.0.7

Published Mar 20, 2026

Tracked Since Mar 20, 2026