Vulnerability Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Admidio | Admidio | >= 5.0.0, < 5.0.7 |
Related Weaknesses (CWE)
References
- https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5fExploitMitigationVendor Advisory
FAQ
What is CVE-2026-32817?
CVE-2026-32817 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. ...
How severe is CVE-2026-32817?
CVE-2026-32817 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-32817?
Check the references section above for vendor advisories and patch information. Affected products include: Admidio Admidio.