Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
Description
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated user with upload permissions can bypass file extension restrictions via an invalid CSRF token in Admidio versions ≤5.0.6, enabling arbitrary file upload and Remote Code Execution.
Vulnerability
Overview
CVE-2026-32756 is a critical unrestricted file upload vulnerability affecting the Documents & Files module of Admidio, an open-source user management solution. The root cause lies in a design flaw in UploadHandlerFile.php, where two methods, handle_form_data() and handle_file_upload(), interact during file processing. When a CSRF token validation fails in handle_form_data(), it sets a file error but does not terminate the request, leading to the file being written to disk by the parent class. The subsequent extension validation and cleanup steps are then skipped due to the error flag, allowing the uploaded file to persist on the server [1][2].
Exploitation
To exploit this vulnerability, an attacker must be an authenticated user with upload permissions in the Documents & Files module. By intentionally submitting a request with an invalid CSRF token during a file upload, the attacker triggers the flawed code path: the file is saved to disk, but the extension checking logic (allowedFileExtension()) is bypassed, and the cleanup routine that would delete the unauthorized file never executes. This means even a non-PHP file (such as a .php script) passes the upload process without rejection [2].
Impact
Successful exploitation allows the attacker to upload arbitrary file types, including executable PHP scripts. If the uploaded file is accessible via the web server (e.g., within the document root), this can lead to Remote Code Execution (RCE) on the server. The vendor notes that this could result in full server compromise, data exfiltration, and lateral movement within the network [1]. The vulnerability is rated as critical due to the ease of exploitation once authenticated and the high potential impact of RCE.
Mitigation
The issue has been fixed in Admidio version 5.0.7, released on March 19, 2026. Users running version 5.0.6 or earlier are strongly advised to update immediately [4]. No workarounds have been published, and the vulnerable versions remain affected. There is no indication that this CVE is currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but given its critical nature, patching is urgent [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | < 5.0.7 | 5.0.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-95cq-p4w2-32w5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32756ghsaADVISORY
- github.com/Admidio/admidio/releases/tag/v5.0.7ghsax_refsource_MISCWEB
- github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.