Cyber Resilience

CVE-2026-32756

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0098 57.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32756 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Admidio Admidio. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32756 is a critical unrestricted file upload vulnerability (CWE-434) affecting Admidio, an open-source user management solution, in versions 5.0.6 and prior. The flaw resides in the Documents & Files module, specifically within UploadHandlerFile.php, where a design issue in the interaction between CSRF token validation and file extension verification allows bypass of restrictions. This enables the upload of arbitrary file types, such as PHP scripts, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with upload permissions can exploit this vulnerability over the network with low complexity and no user interaction required. By intentionally submitting an invalid CSRF token, the attacker bypasses file extension checks, uploads malicious files like webshells, and achieves remote code execution on the server. Successful exploitation may result in full server compromise, data exfiltration, and lateral movement within the environment.

Admidio has addressed the issue in version 5.0.7, as detailed in the project's release notes and GitHub Security Advisory GHSA-95cq-p4w2-32w5. Security practitioners should upgrade to 5.0.7 or later and review access controls for upload permissions in affected deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within…

more

UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing web app directly enables T1190 exploitation to deploy web shell (T1505.003) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32813Same product: Admidio Admidio
CVE-2026-34381Same product: Admidio Admidio
CVE-2026-34384Same product: Admidio Admidio
CVE-2026-32817Same product: Admidio Admidio
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434

Affected Assets

admidio
admidio
≤ 5.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the unrestricted file upload vulnerability by requiring validation of uploaded files for type, content, and structure to prevent bypass of extension restrictions.

prevent

Mitigates the specific design flaw in UploadHandlerFile.php by mandating timely flaw remediation, such as patching to Admidio version 5.0.7.

prevent

Counters the CSRF token validation bypass that interacts with file extension checks by enforcing proper session authenticity mechanisms.

References