CVE-2026-32756 HIGH

CVE-2026-32756: Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module

Vendor Admidio
Product admidio
Weakness CWE-434 · Unrestricted file upload
Published March 19, 2026
Last update March 20, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 20, 2026 Record updated