Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
Description
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | < 5.0.7 | 5.0.7 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-95cq-p4w2-32w5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32756ghsaADVISORY
- github.com/Admidio/admidio/releases/tag/v5.0.7ghsax_refsource_MISCWEB
- github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.