CVE-2026-32817
Published: 20 March 2026
Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only…
more
perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces required delete permissions beyond view-only access, preventing unauthorized folder and file deletions via authorization bypass.
Validates inputs including CSRF tokens and request methods, blocking forged GET-based delete requests.
Ensures least privilege so view-only users lack delete capabilities, limiting impact even if enforcement fails.
Security SummaryAI
CVE-2026-32817 is a critical authorization bypass vulnerability in Admidio, an open-source user management solution. Affecting versions 5.0.0 through 5.0.6, the issue resides in the documents and files module, specifically the folder_delete and file_delete action handlers in modules/documents-files.php. These handlers only perform a VIEW authorization check via getFolderForDownload or getFileForDownload before invoking delete(), without validating delete permissions or CSRF tokens. Target UUIDs are sourced from $_GET parameters, enabling deletion via simple HTTP GET requests.
Unauthenticated attackers can exploit this when the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), allowing permanent destruction of the entire document library over the network with low complexity and no user interaction. Even in login-required configurations, any authenticated user with view-only access can delete content they are merely permitted to read, achieving high integrity and availability impacts as reflected in the CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and mapped to CWE-862 (Missing Authorization).
The GitHub Security Advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f details the fix in Admidio version 5.0.7, which addresses the permission checks and CSRF validation deficiencies. Security practitioners should upgrade to 5.0.7 or later and review configurations for public exposure of the documents and files module.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web application (T1190) for unauthorized data destruction via file/folder deletion (T1485).