CVE-2026-32756
published 2026-03-20CVE-2026-32756: Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.98%
57.9th percentile
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| admidio | admidio | < 5.0.7 | 5.0.7 |
| admidio | admidio | >= 0 < 5.0.7 | 5.0.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable file identified: the flaw exists within UploadHandlerFile.php in the Admidio Documents & Files module — monitor for unexpected file uploads processed through this handler ↗
- →Detect upload requests to Admidio's Documents & Files module that carry an intentionally invalid/malformed CSRF token alongside a file upload — this is the bypass mechanism ↗
- →Alert on PHP script files (e.g., .php, .php5, .phtml) uploaded to the Admidio Documents & Files module storage path, as successful exploitation results in a web-accessible PHP shell ↗
- ·Exploitation requires an authenticated user with upload permissions — access control review of upload-capable accounts is a relevant mitigation layer ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
File Upload(RCE) Vulnerability in admidio
ghsa·2026-03-16
CVE-2026-32756 [HIGH] CWE-434 File Upload(RCE) Vulnerability in admidio
File Upload(RCE) Vulnerability in admidio
### **Summary**
A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within `UploadHandlerFile.php`, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.
### **Details**
**1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)**
**Root Cause Analysis:**
The root cause lies in a design flaw in `src/Infrastructure/Plugins/UploadHandlerFile.php`. The `UploadHandlerFile` class
OSV
File Upload(RCE) Vulnerability in admidio
osv·2026-03-16
CVE-2026-32756 [HIGH] File Upload(RCE) Vulnerability in admidio
File Upload(RCE) Vulnerability in admidio
### **Summary**
A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within `UploadHandlerFile.php`, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.
### **Details**
**1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)**
**Root Cause Analysis:**
The root cause lies in a design flaw in `src/Infrastructure/Plugins/UploadHandlerFile.php`. The `UploadHandlerFile` class
No detection rules found.
No public exploits indexed.
2026-03-20
Published