Vulnerability Description
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Admidio | Admidio | < 5.0.7 |
Related Weaknesses (CWE)
References
- https://github.com/Admidio/admidio/releases/tag/v5.0.7PatchProduct
- https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-32756?
CVE-2026-32756 is a vulnerability with a CVSS score of 8.8 (HIGH). Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF...
How severe is CVE-2026-32756?
CVE-2026-32756 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32756?
Check the references section above for vendor advisories and patch information. Affected products include: Admidio Admidio.