CVE-2026-32756 - Vulnerability Details

- Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module

Description

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.

Published: 2026-03-19

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Admidio versions 5.0.6 and earlier contain an unrestricted file upload flaw in the Documents & Files module. A design mistake in CSRF token validation and file extension checking allows an authenticated user with upload permissions to bypass the restriction by submitting an invalid token. The attacker can upload arbitrary files, including PHP scripts, which, if executed, can lead to remote code execution, full server compromise, data exfiltration, and lateral movement.

Affected Systems

This vulnerability affects the Admidio open‑source user management solution, specifically the Documents & Files module. Any installation running version 5.0.6 or earlier is susceptible. The product is identified as Admidio:admidio in the Common Platform Enumeration.

Risk and Exploitability

With a CVSS score of 8.8, the flaw is considered high severity. The EPSS score is below 1 %, suggesting a low current probability of exploitation, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, the flaw requires only an authenticated user with upload rights and a deliberate CSRF token trick to be exploited, which could result in arbitrary code execution on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Admidio

admidio

affected

Version	Status	Constraints
`< 5.0.7`	affected	—

Configuration 1 [-]

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Admidio

100%

Version	Status	Scheme	Platform
`[0,5.0.7)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Admidio to version 5.0.7 or later, which fixes the CSRF token bypass and restores proper file type validation.

Generated by OpenCVE AI on March 23, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-95cq-p4w2-32w5	File Upload(RCE) Vulnerability in admidio

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Admidio/admidio/releases/tag/v5.0.7
https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5

History

Mon, 23 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:admidio:admidio::::::::

Fri, 20 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admidio Admidio admidio
Vendors & Products		Admidio Admidio admidio

Thu, 19 Mar 2026 23:30:00 +0000

Type	Values Removed	Values Added
Description		Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
Title		Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
Weaknesses		CWE-434
References		https://github.com/Admidio/admidio/releases/tag/v5.0.7 https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Admidio Admidio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-19T23:08:03.470Z

Updated: 2026-03-20T17:07:02.484Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32756

Vulnrichment

Updated: 2026-03-20T17:06:49.772Z

NVD

Status : Analyzed

Published: 2026-03-20T00:16:16.763

Modified: 2026-03-23T16:51:44.110

Link: CVE-2026-32756

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T11:54:04Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object