CVE-2026-32817

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 02:16

Updated : 2026-03-23 13:16

NVD link : CVE-2026-32817

Mitre link : CVE-2026-32817

CVE.ORG link : CVE-2026-32817

JSON object : View

Products Affected

admidio

admidio

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-32817", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T02:16:35.380", "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. En las versiones 5.0.0 a 5.0.6, el m\u00f3dulo de documentos y archivos no verifica si el usuario actual tiene permiso para eliminar carpetas o archivos. Los manejadores de acciones folder_delete y file_delete en modules/documents-files.php solo realizan una verificaci\u00f3n de autorizaci\u00f3n de VISTA (getFolderForDownload / getFileForDownload) antes de llamar a delete(), y nunca validan un token CSRF. Debido a que los UUID de destino se leen de $_GET, la eliminaci\u00f3n puede ser activada por una solicitud HTTP GET simple. Cuando el m\u00f3dulo est\u00e1 en modo p\u00fablico (documents_files_module_enabled = 1) y una carpeta est\u00e1 marcada como p\u00fablica (fol_public = true), un atacante no autenticado puede destruir permanentemente toda la biblioteca de documentos. Incluso cuando el m\u00f3dulo requiere inicio de sesi\u00f3n, cualquier usuario con acceso de solo lectura puede eliminar contenido que solo tiene permiso para leer. Este problema ha sido solucionado en la versi\u00f3n 5.0.7."}], "lastModified": "2026-03-23T13:16:30.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4020E2FE-8E51-405F-86CB-DAAFBA7FD9B3", "versionEndExcluding": "5.0.7", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}