Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
Published: 2026-03-20
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Documents and Folders
Action: Immediate Patch
AI Analysis

Impact

Admidio versions 5.0.0 through 5.0.6 allow deletion of folders and files without confirming that the requesting user has permission to do so, and they do not verify a CSRF token. The deletion logic sits behind a simple view check only, meaning that anyone able to trigger the delete action can remove content. This results in permanent loss of documents and a potential denial of service for the document library.

Affected Systems

The vulnerability affects Admidio installations using the documents and files module, specifically versions from 5.0.0 to 5.0.6. If the module is enabled in public mode and a folder is marked as public, an unauthenticated user can delete the entire library. Even in protected mode, any user who can view the content can delete it if they have view‑only access.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity. Although the EPSS score is below 1%, the lack of required authentication or CSRF protection makes exploitation straightforward by sending a GET request to the delete endpoint. The vulnerability is not yet tracked in the CISA KEV catalog, but the ability to remove critical data poses a significant risk to confidentiality, integrity, and availability. An attacker can achieve complete data loss by exploiting this flaw without needing to bypass authentication.

Generated by OpenCVE AI on March 23, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.7 or later where the authorization and CSRF checks have been fixed.
  • If an upgrade cannot be performed immediately, disable the documents and files module or configure it so that deletion is not available to users in public mode and enforce authentication for all module actions.
  • Verify that the application validates CSRF tokens on all state‑changing requests and that delete operations are restricted to users with explicit permission.

Generated by OpenCVE AI on March 23, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rmpj-3x5m-9m5f Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
History

Mon, 23 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
Title Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:02:30.234Z

Reserved: 2026-03-16T17:35:36.696Z

Link: CVE-2026-32817

cve-icon Vulnrichment

Updated: 2026-03-20T20:02:26.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:35.380

Modified: 2026-03-23T13:16:30.240

Link: CVE-2026-32817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:39Z

Weaknesses