Access Control Flaw in Admidio User Management Solution by Admidio
CVE-2026-32817

9.1CRITICAL

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-32817?

Admidio, an open-source user management solution, is vulnerable to an access control issue in its documents and files module. In versions 5.0.0 through 5.0.6, the module fails to verify if a user has the necessary permissions to delete files or folders. The action handlers for folder and file deletions only check for viewing permissions without validating CSRF tokens. Consequently, an unauthenticated attacker can exploit this vulnerability by sending a simple HTTP GET request to delete folders and files in a public document library. Even logged-in users with view-only access can inadvertently delete content they should only be able to read, leading to potential data loss. This vulnerability was remediated in version 5.0.7.

Affected Version(s)

admidio >= 5.0.0, < 5.0.7

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 16, 2026

CVE-2026-32817 Data

JSON