Skip to main content

PHP CVE-2026-32817

CRITICAL
Missing Authorization (CWE-862)
2026-03-20 security-advisories@github.com GHSA-rmpj-3x5m-9m5f
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 02:16 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.

AnalysisAI

Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.

Technical ContextAI

The vulnerability exists in the modules/documents-files.php file of Admidio, an open-source PHP-based user management and administration system. The root cause is classified as CWE-862 (Missing Authorization), where the folder_delete and file_delete action handlers only perform VIEW-level authorization checks via getFolderForDownload and getFileForDownload methods before executing delete operations. The handlers accept target UUIDs directly from the $_GET superglobal without validating whether the user has DELETE permissions or verifying CSRF tokens. When documents_files_module_enabled is set to 1 (public mode) and folders are marked with fol_public=true, the module exposes destructive operations to unauthenticated users. Even in restricted mode, users with read-only access can escalate to delete privileges, violating the principle of least privilege and proper role-based access control implementation.

RemediationAI

Immediately upgrade Admidio to version 5.0.7 or later, which contains fixes for the authorization bypass and CSRF vulnerabilities as documented in the GitHub security advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f. Organizations unable to upgrade immediately should disable public access to the documents and files module by setting documents_files_module_enabled to 0 or restricting the module to authenticated administrators only. As an additional interim control, implement web application firewall rules to block HTTP GET requests to modules/documents-files.php containing folder_delete or file_delete action parameters from untrusted IP ranges. Review access logs for suspicious deletion activity targeting the documents module and restore deleted content from backups if unauthorized deletions have occurred. After upgrading, verify that folder and file deletion operations properly enforce authorization checks and CSRF token validation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-32817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy