CVE-2026-32756 (GCVE-0-2026-32756)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:08 – Updated: 2026-03-20 17:07
VLAI?
Title
Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
Summary
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
Severity ?
8.8 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32756",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T17:06:10.742686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T17:07:02.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "admidio",
"vendor": "Admidio",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents \u0026 Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:08:03.470Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5"
},
{
"name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
}
],
"source": {
"advisory": "GHSA-95cq-p4w2-32w5",
"discovery": "UNKNOWN"
},
"title": "Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents \u0026 Files Module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32756",
"datePublished": "2026-03-19T23:08:03.470Z",
"dateReserved": "2026-03-13T18:53:03.532Z",
"dateUpdated": "2026-03-20T17:07:02.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32756\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T00:16:16.763\",\"lastModified\":\"2026-03-23T16:51:44.110\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents \u0026 Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.\"},{\"lang\":\"es\",\"value\":\"Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. Las versiones 5.0.6 e inferiores contienen una cr\u00edtica vulnerabilidad de carga de archivos sin restricciones en el m\u00f3dulo Documentos y Archivos. Debido a un fallo de dise\u00f1o en c\u00f3mo la validaci\u00f3n del token CSRF y la verificaci\u00f3n de la extensi\u00f3n de archivo interact\u00faan dentro de UploadHandlerFile.php, un usuario autenticado con permisos de carga puede eludir las restricciones de extensi\u00f3n de archivo al enviar intencionadamente un token CSRF no v\u00e1lido. Esto permite la carga de tipos de archivo arbitrarios, incluyendo scripts PHP, lo que puede conducir a la ejecuci\u00f3n remota de c\u00f3digo en el servidor, resultando en un compromiso total del servidor, exfiltraci\u00f3n de datos y movimiento lateral. Este problema ha sido solucionado en la versi\u00f3n 5.0.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.0.7\",\"matchCriteriaId\":\"3347E657-D132-4D87-A355-391136657A27\"}]}]}],\"references\":[{\"url\":\"https://github.com/Admidio/admidio/releases/tag/v5.0.7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Product\"]},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents \u0026 Files Module\", \"source\": {\"advisory\": \"GHSA-95cq-p4w2-32w5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Admidio\", \"product\": \"admidio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.0.7\"}]}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5\", \"name\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Admidio/admidio/releases/tag/v5.0.7\", \"name\": \"https://github.com/Admidio/admidio/releases/tag/v5.0.7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents \u0026 Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-19T23:08:03.470Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32756\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T17:06:10.742686Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-20T17:06:49.772Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32756\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-19T23:08:03.470Z\", \"dateReserved\": \"2026-03-13T18:53:03.532Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-19T23:08:03.470Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-32756
Vulnerability from fkie_nvd - Published: 2026-03-20 00:16 - Updated: 2026-03-23 16:51
Severity ?
Summary
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/Admidio/admidio/releases/tag/v5.0.7 | Patch, Product | |
| security-advisories@github.com | https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5 | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27",
"versionEndExcluding": "5.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents \u0026 Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7."
},
{
"lang": "es",
"value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. Las versiones 5.0.6 e inferiores contienen una cr\u00edtica vulnerabilidad de carga de archivos sin restricciones en el m\u00f3dulo Documentos y Archivos. Debido a un fallo de dise\u00f1o en c\u00f3mo la validaci\u00f3n del token CSRF y la verificaci\u00f3n de la extensi\u00f3n de archivo interact\u00faan dentro de UploadHandlerFile.php, un usuario autenticado con permisos de carga puede eludir las restricciones de extensi\u00f3n de archivo al enviar intencionadamente un token CSRF no v\u00e1lido. Esto permite la carga de tipos de archivo arbitrarios, incluyendo scripts PHP, lo que puede conducir a la ejecuci\u00f3n remota de c\u00f3digo en el servidor, resultando en un compromiso total del servidor, exfiltraci\u00f3n de datos y movimiento lateral. Este problema ha sido solucionado en la versi\u00f3n 5.0.7."
}
],
"id": "CVE-2026-32756",
"lastModified": "2026-03-23T16:51:44.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-20T00:16:16.763",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Product"
],
"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-95CQ-P4W2-32W5
Vulnerability from github – Published: 2026-03-16 21:16 – Updated: 2026-03-20 21:15
VLAI?
Summary
File Upload(RCE) Vulnerability in admidio
Details
Summary
A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.
Details
1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)
Root Cause Analysis:
The root cause lies in a design flaw in src/Infrastructure/Plugins/UploadHandlerFile.php. The UploadHandlerFile class overrides two methods from its parent UploadHandler class:
handle_form_data($file, $index)— Validates the CSRF token. On failure, it sets$file->errorand returns. The request is not terminated.handle_file_upload(...)— Callsparent::handle_file_upload()to physically write the file to disk, then checksif (!isset($file->error))before running file extension validation (allowedFileExtension()).
The execution flow differs based on whether the CSRF token is valid:
- Valid CSRF token:
handle_form_data()does not set an error → extension check runs → invalid extension causes the uploaded file to be deleted from disk. - Invalid CSRF token:
handle_form_data()sets$file->error→ theif (!isset($file->error))guard inhandle_file_upload()causes the extension validation to be skipped entirely → the cleanup code (FileSystemUtils::deleteFileIfExists()) is never reached → the file, already written to disk by the parent class, remains on the server and is directly accessible.
In summary, the file is always saved to disk by the parent class first. The extension check and cleanup only execute when no prior error exists. A deliberate CSRF token failure bypasses the extension filter while the file remains on disk.
Affected code (src/Infrastructure/Plugins/UploadHandlerFile.php):
// File is physically saved to disk here, before any Admidio-specific checks
$file = parent::handle_file_upload($uploaded_file, $name, $size, $type, $error, $index, $content_range);
if (!isset($file->error)) {
// Extension validation is only reached when no prior error is set.
// If CSRF validation failed in handle_form_data(), this block is skipped
// and the uploaded file is never cleaned up from disk.
if (!$newFile->allowedFileExtension()) {
throw new Exception('SYS_FILE_EXTENSION_INVALID');
}
}
PoC
Documents & Files Create folder
File Upload Try 1-1 (before request)
File Upload Try 1-2 (after request)
File Upload Try 1-3 (After changing CSRF to a test value, request → PHP file upload succeeds)
✅ rcepoc.php Upload Success!
Access the rcepoc upload path confirmed in the response and check the web shell.
🆗 WebShell Success
Steps to Reproduce:
- Log in to Admidio as an authenticated user with upload permissions on the Documents & Files module.
- Navigate to a folder in the Documents & Files module and open the file upload dialog.
- Intercept the upload POST request to
/system/file_upload.php?module=documents_files&mode=upload_files&uuid=<folder_uuid>using a proxy tool such as Burp Suite. - Replace the value of the
adm_csrf_tokenfield with an arbitrary invalid string (e.g.,webshellgogo). - Set the file to be uploaded to a PHP webshell (e.g.,
<?php system($_GET[1]); ?>). - Forward the modified request.
- Observe that the server responds with HTTP
200 OK. The JSON body contains"error":"Invalid or missing CSRF token!", yet the file is physically present on the server at the path indicated in theurlfield. - Access the uploaded PHP file directly via the URL provided in the response — arbitrary command execution is confirmed.
Impact
- An authenticated attacker with upload permissions can bypass file extension validation and upload arbitrary server-side scripts such as PHP webshells.
- This leads to Remote Code Execution (RCE), potentially resulting in full server compromise, sensitive data exfiltration, and lateral movement.
- While authentication is required, the attack is not limited to administrators — any member granted upload rights may exploit this vulnerability, making the attack surface broader than it may initially appear.
Remediation Measures
- The extension validation logic should be executed independently of the CSRF error state. It is recommended to move the extension check and the corresponding cleanup outside of the
if (!isset($file->error))block so that files with disallowed extensions are always removed from disk, regardless of other errors. - Rather than relying on a blacklist of dangerous extensions (e.g.,
.php,.phar,.phtml), it is strongly recommended to implement a whitelist of permitted extensions appropriate to a documents module (e.g.,.pdf,.docx,.xlsx,.pptx,.txt). - CSRF token validation should either be performed before the file is written to disk, or a validation failure should result in immediate request termination rather than merely setting an error flag on the file object.
Severity ?
8.8 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.6"
},
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32756"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T21:16:50Z",
"nvd_published_at": "2026-03-20T00:16:16Z",
"severity": "HIGH"
},
"details": "### **Summary**\n\nA critical unrestricted file upload vulnerability exists in the Documents \u0026 Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within `UploadHandlerFile.php`, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.\n\n### **Details**\n\n**1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)**\n\n**Root Cause Analysis:**\n\nThe root cause lies in a design flaw in `src/Infrastructure/Plugins/UploadHandlerFile.php`. The `UploadHandlerFile` class overrides two methods from its parent `UploadHandler` class:\n\n- `handle_form_data($file, $index)` \u2014 Validates the CSRF token. On failure, it sets `$file-\u003eerror` and returns. The request is **not** terminated.\n- `handle_file_upload(...)` \u2014 Calls `parent::handle_file_upload()` to physically write the file to disk, then checks `if (!isset($file-\u003eerror))` before running file extension validation (`allowedFileExtension()`).\n\nThe execution flow differs based on whether the CSRF token is valid:\n\n- **Valid CSRF token**: `handle_form_data()` does not set an error \u2192 extension check runs \u2192 invalid extension causes the uploaded file to be deleted from disk.\n- **Invalid CSRF token**: `handle_form_data()` sets `$file-\u003eerror` \u2192 the `if (!isset($file-\u003eerror))` guard in `handle_file_upload()` causes the extension validation to be skipped entirely \u2192 the cleanup code (`FileSystemUtils::deleteFileIfExists()`) is never reached \u2192 the file, already written to disk by the parent class, remains on the server and is directly accessible.\n\nIn summary, the file is always saved to disk by the parent class first. The extension check and cleanup only execute when no prior error exists. A deliberate CSRF token failure bypasses the extension filter while the file remains on disk.\n\n**Affected code** (`src/Infrastructure/Plugins/UploadHandlerFile.php`):\n\n```php\n// File is physically saved to disk here, before any Admidio-specific checks\n$file = parent::handle_file_upload($uploaded_file, $name, $size, $type, $error, $index, $content_range);\n\nif (!isset($file-\u003eerror)) {\n // Extension validation is only reached when no prior error is set.\n // If CSRF validation failed in handle_form_data(), this block is skipped\n // and the uploaded file is never cleaned up from disk.\n if (!$newFile-\u003eallowedFileExtension()) {\n throw new Exception(\u0027SYS_FILE_EXTENSION_INVALID\u0027);\n }\n}\n```\n\n### **PoC**\n\nDocuments \u0026 Files Create folder\n\u003cimg width=\"762\" height=\"729\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2c927482-851b-4945-93d6-6e7a1e3bc21f\" /\u003e\n\n\u003cimg width=\"749\" height=\"690\" alt=\"image\" src=\"https://github.com/user-attachments/assets/72443c87-e15f-4312-9659-8cd0661a4dae\" /\u003e\n\n\nFile Upload Try 1-1 (before request)\n\u003cimg width=\"1856\" height=\"635\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d1ffaa12-aec1-45ff-a612-885d9554fb60\" /\u003e\n\n\nFile Upload Try 1-2 (after request)\n\u003cimg width=\"1850\" height=\"855\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4ece4aac-1255-4189-9048-45ff3df4abcf\" /\u003e\n\n\n\nFile Upload Try 1-3 (After changing CSRF to a test value, request \u2192 PHP file upload succeeds)\n\u003cimg width=\"1847\" height=\"928\" alt=\"image\" src=\"https://github.com/user-attachments/assets/63f9d108-5e4f-4d32-96d2-09f9ad910873\" /\u003e\n\n\n\u2705 rcepoc.php Upload Success!\n\u003cimg width=\"926\" height=\"814\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4de99c31-dc3c-44f2-9936-19c3da0dfffb\" /\u003e\n\n\nAccess the rcepoc upload path confirmed in the response and check the web shell.\n\u003cimg width=\"1635\" height=\"922\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0b770caf-e737-4cbd-97b9-ae191a8b79f5\" /\u003e\n\n\n\ud83c\udd97\u00a0WebShell Success\n\u003cimg width=\"685\" height=\"187\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e90f162b-7949-41c4-9fd1-aad3b6365adf\" /\u003e\n\n\u003cimg width=\"794\" height=\"209\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f45dae74-a830-4761-af31-f2ac28eb2586\" /\u003e\n\n\n**Steps to Reproduce:**\n\n1. Log in to Admidio as an authenticated user with upload permissions on the Documents \u0026 Files module.\n2. Navigate to a folder in the Documents \u0026 Files module and open the file upload dialog.\n3. Intercept the upload POST request to `/system/file_upload.php?module=documents_files\u0026mode=upload_files\u0026uuid=\u003cfolder_uuid\u003e` using a proxy tool such as Burp Suite.\n4. Replace the value of the `adm_csrf_token` field with an arbitrary invalid string (e.g., `webshellgogo`).\n5. Set the file to be uploaded to a PHP webshell (e.g., `\u003c?php system($_GET[1]); ?\u003e`).\n6. Forward the modified request.\n7. Observe that the server responds with HTTP `200 OK`. The JSON body contains `\"error\":\"Invalid or missing CSRF token!\"`, yet the file is physically present on the server at the path indicated in the `url` field.\n8. Access the uploaded PHP file directly via the URL provided in the response \u2014 arbitrary command execution is confirmed.\n\n### **Impact**\n\n- An authenticated attacker with upload permissions can bypass file extension validation and upload arbitrary server-side scripts such as PHP webshells.\n- This leads to Remote Code Execution (RCE), potentially resulting in full server compromise, sensitive data exfiltration, and lateral movement.\n- While authentication is required, the attack is not limited to administrators \u2014 any member granted upload rights may exploit this vulnerability, making the attack surface broader than it may initially appear.\n\n### **Remediation Measures**\n\n- The extension validation logic should be executed independently of the CSRF error state. It is recommended to move the extension check and the corresponding cleanup outside of the `if (!isset($file-\u003eerror))` block so that files with disallowed extensions are always removed from disk, regardless of other errors.\n- Rather than relying on a blacklist of dangerous extensions (e.g., `.php`, `.phar`, `.phtml`), it is strongly recommended to implement a **whitelist** of permitted extensions appropriate to a documents module (e.g., `.pdf`, `.docx`, `.xlsx`, `.pptx`, `.txt`).\n- CSRF token validation should either be performed before the file is written to disk, or a validation failure should result in immediate request termination rather than merely setting an error flag on the file object.",
"id": "GHSA-95cq-p4w2-32w5",
"modified": "2026-03-20T21:15:25Z",
"published": "2026-03-16T21:16:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32756"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "File Upload(RCE) Vulnerability in admidio"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…