CVE-2026-32756

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.6 and below

Description Admidio, an open-source user management solution, contains a critical unrestricted file upload vulnerability within the Documents & Files module. A flaw in the interaction between CSRF token validation and file extension verification in UploadHandlerFile.php allows an authenticated user with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token. This enables the upload of arbitrary file types, including PHP scripts, potentially leading to Remote Code Execution (RCE) on the server. Successful exploitation could result in full server compromise, data exfiltration, and lateral movement. The root cause is that the file is always saved to disk by the parent class before any Admidio-specific checks. The extension validation and cleanup only execute when no prior error exists. A deliberate CSRF token failure bypasses the extension filter while the file remains on disk. The vulnerable code resides in src/Infrastructure/Plugins/UploadHandlerFile.php. A proof-of-concept demonstrates the successful upload of a PHP webshell by manipulating the CSRF token.

Recommendations Versions prior to 5.0.7 are vulnerable. Update to version 5.0.7 or later. The extension validation logic should be executed independently of the CSRF error state. Implement a whitelist of permitted extensions appropriate to a documents module. CSRF token validation should either be performed before the file is written to disk, or a validation failure should result in immediate request termination.