Executive Summary

CVE-2026-32756 is a critical unrestricted file upload vulnerability in the Documents & Files module of Admidio versions 5.0.6 and below.

The vulnerability arises from a design flaw in the UploadHandlerFile.php component, where the interaction between CSRF token validation and file extension verification is flawed.

Specifically, when an authenticated user with upload permissions submits a file with an invalid CSRF token, the system sets an error but does not stop the upload process. The file is saved to disk before extension validation occurs, and because the extension check is skipped if there is an error, arbitrary file types—including dangerous ones like PHP scripts—can be uploaded.

This allows attackers to bypass file extension restrictions by intentionally submitting an invalid CSRF token, leading to potential Remote Code Execution (RCE) on the server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated user with upload permissions to upload arbitrary files, including malicious server-side scripts.

The primary impact is Remote Code Execution on the server, which can lead to full server compromise.

Consequences of exploitation include data exfiltration, lateral movement within the network, and potentially complete loss of confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of unauthorized or suspicious files, such as PHP scripts, in the upload directories of the Documents & Files module in Admidio versions 5.0.6 and below.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows an authenticated user with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, monitoring upload requests for invalid CSRF tokens combined with file uploads can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious files on the server include:'}, {'type': 'list_item', 'content': "Use find to locate PHP files in the upload directory: find /path/to/admidio/uploads -type f -name '*.php'"}, {'type': 'list_item', 'content': "Check web server access logs for requests to suspicious uploaded files: grep '.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Monitor POST requests with invalid CSRF tokens by analyzing application logs or using a web application firewall (WAF) with custom rules.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective step to mitigate this vulnerability is to upgrade Admidio to version 5.0.7 or later, where the issue has been fixed.

Additional mitigation steps include:

• Restrict upload permissions to only trusted users to reduce the risk of exploitation.
• Implement server-side monitoring to detect and remove any unauthorized uploaded files, especially executable scripts like PHP files.
• Configure the web server to prevent execution of uploaded files in the upload directories, for example by disabling PHP execution in those directories.
• Use a whitelist of allowed file extensions for uploads and ensure that file extension validation and CSRF token validation occur before saving files to disk.

Useful 0 Not Useful 0