CVE-2026-32817
Published: 20 March 2026
Summary
CVE-2026-32817 is a critical-severity Missing Authorization (CWE-862) vulnerability in Admidio Admidio. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces required delete permissions beyond view-only access, preventing unauthorized folder and file deletions via authorization bypass.
Validates inputs including CSRF tokens and request methods, blocking forged GET-based delete requests.
Ensures least privilege so view-only users lack delete capabilities, limiting impact even if enforcement fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web application (T1190) for unauthorized data destruction via file/folder deletion (T1485).
NVD Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only…
more
perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
Deeper analysisAI
CVE-2026-32817 is a critical authorization bypass vulnerability in Admidio, an open-source user management solution. Affecting versions 5.0.0 through 5.0.6, the issue resides in the documents and files module, specifically the folder_delete and file_delete action handlers in modules/documents-files.php. These handlers only perform a VIEW authorization check via getFolderForDownload or getFileForDownload before invoking delete(), without validating delete permissions or CSRF tokens. Target UUIDs are sourced from $_GET parameters, enabling deletion via simple HTTP GET requests.
Unauthenticated attackers can exploit this when the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), allowing permanent destruction of the entire document library over the network with low complexity and no user interaction. Even in login-required configurations, any authenticated user with view-only access can delete content they are merely permitted to read, achieving high integrity and availability impacts as reflected in the CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and mapped to CWE-862 (Missing Authorization).
The GitHub Security Advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f details the fix in Admidio version 5.0.7, which addresses the permission checks and CSRF validation deficiencies. Security practitioners should upgrade to 5.0.7 or later and review configurations for public exposure of the documents and files module.
Details
- CWE(s)