Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Admidio 5.0.0–5.0.6 lacks authorization and CSRF protection on document/folder deletion, allowing unauthenticated attackers to destroy the entire document library via a single GET request.
Vulnerability
Overview
CVE-2026-32817 is a missing authorization and CSRF protection vulnerability in the documents and files module of Admidio, an open-source user management system. In versions 5.0.0 through 5.0.6, the folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling the delete() method, and they never validate a CSRF token [1][2]. The target UUIDs are read directly from $_GET, meaning deletion can be triggered by a plain HTTP GET request without any additional authentication or token [1].
Attack
Surface and Exploitation
The module's access check only blocks unauthenticated users when the setting documents_files_module_enabled is set to 2 (members-only). When the setting is 1 (public), no login is required to reach any action handler [1]. If a folder is marked as public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library by sending a crafted GET request to the vulnerable endpoint. Even when the module requires login, any authenticated user with view-only access can delete content they are only permitted to read [1][2].,2].
Impact
An attacker exploiting this vulnerability can permanently delete all files and folders in the document library, leading to complete data loss of stored documents. No special privileges beyond view access (or no authentication at all in public mode) are required, making this a high-severity issue that can be exploited remotely without user interaction [1][2].
Mitigation
The issue has been fixed in Admidio version 5.0.7 [1][2]. Users running versions 5.0.0 through 5.0.6 should upgrade immediately to 5.0.7 or later. No workarounds are documented; the fix adds proper authorization checks and CSRF token validation to the delete handlers [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-rmpj-3x5m-9m5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32817ghsaADVISORY
- github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.