PHP
CVE-2026-32817
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
AnalysisAI
Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.
Technical ContextAI
The vulnerability exists in the modules/documents-files.php file of Admidio, an open-source PHP-based user management and administration system. The root cause is classified as CWE-862 (Missing Authorization), where the folder_delete and file_delete action handlers only perform VIEW-level authorization checks via getFolderForDownload and getFileForDownload methods before executing delete operations. The handlers accept target UUIDs directly from the $_GET superglobal without validating whether the user has DELETE permissions or verifying CSRF tokens. When documents_files_module_enabled is set to 1 (public mode) and folders are marked with fol_public=true, the module exposes destructive operations to unauthenticated users. Even in restricted mode, users with read-only access can escalate to delete privileges, violating the principle of least privilege and proper role-based access control implementation.
RemediationAI
Immediately upgrade Admidio to version 5.0.7 or later, which contains fixes for the authorization bypass and CSRF vulnerabilities as documented in the GitHub security advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f. Organizations unable to upgrade immediately should disable public access to the documents and files module by setting documents_files_module_enabled to 0 or restricting the module to authenticated administrators only. As an additional interim control, implement web application firewall rules to block HTTP GET requests to modules/documents-files.php containing folder_delete or file_delete action parameters from untrusted IP ranges. Review access logs for suspicious deletion activity targeting the documents module and restore deleted content from backups if unauthorized deletions have occurred. After upgrading, verify that folder and file deletion operations properly enforce authorization checks and CSRF token validation.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-rmpj-3x5m-9m5f