CVE-2026-32756
Published: 20 March 2026
Summary
CVE-2026-32756 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Admidio Admidio. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the unrestricted file upload vulnerability by requiring validation of uploaded files for type, content, and structure to prevent bypass of extension restrictions.
Mitigates the specific design flaw in UploadHandlerFile.php by mandating timely flaw remediation, such as patching to Admidio version 5.0.7.
Counters the CSRF token validation bypass that interacts with file extension checks by enforcing proper session authenticity mechanisms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app directly enables T1190 exploitation to deploy web shell (T1505.003) for RCE.
NVD Description
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within…
more
UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
Deeper analysisAI
CVE-2026-32756 is a critical unrestricted file upload vulnerability (CWE-434) affecting Admidio, an open-source user management solution, in versions 5.0.6 and prior. The flaw resides in the Documents & Files module, specifically within UploadHandlerFile.php, where a design issue in the interaction between CSRF token validation and file extension verification allows bypass of restrictions. This enables the upload of arbitrary file types, such as PHP scripts, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with upload permissions can exploit this vulnerability over the network with low complexity and no user interaction required. By intentionally submitting an invalid CSRF token, the attacker bypasses file extension checks, uploads malicious files like webshells, and achieves remote code execution on the server. Successful exploitation may result in full server compromise, data exfiltration, and lateral movement within the environment.
Admidio has addressed the issue in version 5.0.7, as detailed in the project's release notes and GitHub Security Advisory GHSA-95cq-p4w2-32w5. Security practitioners should upgrade to 5.0.7 or later and review access controls for upload permissions in affected deployments.
Details
- CWE(s)