Skip to main content

PHP CVE-2026-32756

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-16 https://github.com/Admidio/admidio GHSA-95cq-p4w2-32w5
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 17, 2026 - 08:13 vuln.today
CVE Published
Mar 16, 2026 - 21:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

Summary

A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.

Details

1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)

Root Cause Analysis:

The root cause lies in a design flaw in src/Infrastructure/Plugins/UploadHandlerFile.php. The UploadHandlerFile class overrides two methods from its parent UploadHandler class:

  • handle_form_data($file, $index) - Validates the CSRF token. On failure, it sets $file->error and returns. The request is not terminated.
  • handle_file_upload(...) - Calls parent::handle_file_upload() to physically write the file to disk, then checks if (!isset($file->error)) before running file extension validation (allowedFileExtension()).

The execution flow differs based on whether the CSRF token is valid:

  • Valid CSRF token: handle_form_data() does not set an error → extension check runs → invalid extension causes the uploaded file to be deleted from disk.
  • Invalid CSRF token: handle_form_data() sets $file->error → the if (!isset($file->error)) guard in handle_file_upload() causes the extension validation to be skipped entirely → the cleanup code (FileSystemUtils::deleteFileIfExists()) is never reached → the file, already written to disk by the parent class, remains on the server and is directly accessible.

In summary, the file is always saved to disk by the parent class first. The extension check and cleanup only execute when no prior error exists. A deliberate CSRF token failure bypasses the extension filter while the file remains on disk.

Affected code (src/Infrastructure/Plugins/UploadHandlerFile.php):

php
// File is physically saved to disk here, before any Admidio-specific checks
$file = parent::handle_file_upload($uploaded_file, $name, $size, $type, $error, $index, $content_range);

if (!isset($file->error)) {
    // Extension validation is only reached when no prior error is set.
    // If CSRF validation failed in handle_form_data(), this block is skipped
    // and the uploaded file is never cleaned up from disk.
    if (!$newFile->allowedFileExtension()) {
        throw new Exception('SYS_FILE_EXTENSION_INVALID');
    }
}

PoC

Documents & Files Create folder <img width="762" height="729" alt="image" src="https://github.com/user-attachments/assets/2c927482-851b-4945-93d6-6e7a1e3bc21f" />

<img width="749" height="690" alt="image" src="https://github.com/user-attachments/assets/72443c87-e15f-4312-9659-8cd0661a4dae" />

File Upload Try 1-1 (before request) <img width="1856" height="635" alt="image" src="https://github.com/user-attachments/assets/d1ffaa12-aec1-45ff-a612-885d9554fb60" />

File Upload Try 1-2 (after request) <img width="1850" height="855" alt="image" src="https://github.com/user-attachments/assets/4ece4aac-1255-4189-9048-45ff3df4abcf" />

File Upload Try 1-3 (After changing CSRF to a test value, request → PHP file upload succeeds) <img width="1847" height="928" alt="image" src="https://github.com/user-attachments/assets/63f9d108-5e4f-4d32-96d2-09f9ad910873" />

✅ rcepoc.php Upload Success! <img width="926" height="814" alt="image" src="https://github.com/user-attachments/assets/4de99c31-dc3c-44f2-9936-19c3da0dfffb" />

Access the rcepoc upload path confirmed in the response and check the web shell. <img width="1635" height="922" alt="image" src="https://github.com/user-attachments/assets/0b770caf-e737-4cbd-97b9-ae191a8b79f5" />

🆗 WebShell Success <img width="685" height="187" alt="image" src="https://github.com/user-attachments/assets/e90f162b-7949-41c4-9fd1-aad3b6365adf" />

<img width="794" height="209" alt="image" src="https://github.com/user-attachments/assets/f45dae74-a830-4761-af31-f2ac28eb2586" />

Steps to Reproduce:

  1. Log in to Admidio as an authenticated user with upload permissions on the Documents & Files module.
  2. Navigate to a folder in the Documents & Files module and open the file upload dialog.
  3. Intercept the upload POST request to /system/file_upload.php?module=documents_files&mode=upload_files&uuid=<folder_uuid> using a proxy tool such as Burp Suite.
  4. Replace the value of the adm_csrf_token field with an arbitrary invalid string (e.g., webshellgogo).
  5. Set the file to be uploaded to a PHP webshell (e.g., <?php system($_GET[1]); ?>).
  6. Forward the modified request.
  7. Observe that the server responds with HTTP 200 OK. The JSON body contains "error":"Invalid or missing CSRF token!", yet the file is physically present on the server at the path indicated in the url field.
  8. Access the uploaded PHP file directly via the URL provided in the response - arbitrary command execution is confirmed.

Impact

  • An authenticated attacker with upload permissions can bypass file extension validation and upload arbitrary server-side scripts such as PHP webshells.
  • This leads to Remote Code Execution (RCE), potentially resulting in full server compromise, sensitive data exfiltration, and lateral movement.
  • While authentication is required, the attack is not limited to administrators - any member granted upload rights may exploit this vulnerability, making the attack surface broader than it may initially appear.

Remediation Measures

  • The extension validation logic should be executed independently of the CSRF error state. It is recommended to move the extension check and the corresponding cleanup outside of the if (!isset($file->error)) block so that files with disallowed extensions are always removed from disk, regardless of other errors.
  • Rather than relying on a blacklist of dangerous extensions (e.g., .php, .phar, .phtml), it is strongly recommended to implement a whitelist of permitted extensions appropriate to a documents module (e.g., .pdf, .docx, .xlsx, .pptx, .txt).
  • CSRF token validation should either be performed before the file is written to disk, or a validation failure should result in immediate request termination rather than merely setting an error flag on the file object.

AnalysisAI

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.

Technical ContextAI

The vulnerability exists in Admidio (CPE: pkg:composer/admidio_admidio), an open-source membership management system written in PHP. The flaw stems from a design issue in the UploadHandlerFile.php class where CSRF token validation and file extension verification are improperly sequenced - files are written to disk before validation, and extension checks are skipped when any prior error (including CSRF failure) is present. This represents a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability where security controls can be bypassed through manipulation of the validation flow.

RemediationAI

Immediately update Admidio to the latest patched version available through the official GitHub repository or Composer package manager. Until patching is complete, consider temporarily disabling file upload functionality in the Documents & Files module or restricting upload permissions to only highly trusted administrators. Organizations should implement additional defense-in-depth measures including web application firewalls configured to block PHP file uploads, file upload directories configured with no-execute permissions, and monitoring for suspicious file uploads. Review the vendor advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5 for specific patch details and additional guidance.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-32756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy