Unrestricted File Upload Vulnerability in Admidio User Management Solution
CVE-2026-32756

8.8HIGH

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-32756?

Admidio, an open-source user management solution, is susceptible to an unrestricted file upload vulnerability found in versions 5.0.6 and below. This vulnerability arises from a design weakness in the Documents & Files module, specifically in UploadHandlerFile.php, where CSRF token validation does not effectively prevent bypassing file extension restrictions. An authenticated user with permission to upload files can exploit this flaw by submitting an invalid CSRF token, allowing them to upload arbitrary file types, including malicious PHP scripts. This poses a significant risk, potentially leading to Remote Code Execution on the server, which could result in complete server compromise, unauthorized data access, and lateral movement within the network. The issue has been addressed in the release of Admidio version 5.0.7.

Affected Version(s)

admidio < 5.0.7

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Admidio/admidio/releases/tag/v5.0.7

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-32756 Data

JSON