CVE-2026-32756
HIGHAdmidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
Title source: cnaDescription
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5
X_Refsource_Misc x_refsource_misc
https://github.com/Admidio/admidio/releases/tag/v5.0.7
Scores
CVSS v3
8.8
EPSS
0.0098
EPSS Percentile
57.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (3)
admidio/admidio
< 5.0.7
admidio/admidio
0 - 5.0.7Packagist
Admidio/admidio
< 5.0.7
Published
Mar 20, 2026
Tracked Since
Mar 20, 2026