CVE-2026-32817

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.0 through 5.0.6

Description Admidio’s documents and files module does not properly verify user permissions before allowing folder or file deletion. The folder delete and file delete action handlers in modules/documents-files.php only perform a VIEW authorization check before calling the delete function, and they do not validate a CSRF token. The target UUIDs are read from $ GET, enabling deletion via a simple HTTP GET request. If the module is in public mode, an unauthenticated attacker can permanently destroy the entire document library. Even with login required, users with view-only access can delete content they are only permitted to read. The Folder::delete() function is recursive and permanently removes files and folders from both the database and the filesystem. The vulnerability can be exploited through a cross-site GET request, allowing an attacker to embed a malicious link in an email or webpage.

Recommendations Update to version 5.0.7 or later to resolve this issue.