CVE-2026-32817
Received Received - Intake
Unauthorized Deletion via CSRF in Admidio Documents Module

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32817
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
admidio admidio From 5.0.0 (inc) to 5.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32817 is a critical vulnerability in the Admidio open-source user management solution, specifically in its documents and files module versions 5.0.0 through 5.0.6.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the module's folder and file deletion handlers only check if a user has VIEW permissions before allowing deletion, instead of verifying if the user has proper upload or admin rights. Additionally, these handlers do not validate CSRF tokens and accept deletion requests via HTTP GET parameters."}, {'type': 'paragraph', 'content': 'This means that an unauthenticated attacker can delete public folders if the module is in public mode, and authenticated users with view-only access can delete files or folders they should only be able to read. The deletion is permanent and recursive, removing all subfolders and files from both the database and filesystem.'}, {'type': 'paragraph', 'content': 'The issue is due to missing authorization checks and lack of CSRF protection, allowing deletion through simple GET requests without proper validation.'}] [1]

Impact Analysis

This vulnerability can have severe impacts including:

  • Permanent and irreversible deletion of documents and folders from the Admidio system.
  • Privilege escalation where users with only view permissions can delete content.
  • Unauthenticated attackers can delete entire public document libraries if the module is in public mode.
  • Potential full organizational data loss if critical folders are deleted.
  • No built-in recovery mechanism aside from restoring from backups.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized deletion requests targeting the Admidio documents and files module endpoints that use HTTP GET parameters for deletion actions.'}, {'type': 'paragraph', 'content': 'Specifically, monitoring HTTP GET requests to the deletion handlers (such as those including folder_uuid or file_uuid parameters) can reveal attempts to exploit the vulnerability.'}, {'type': 'paragraph', 'content': 'You can use network monitoring or web server logs to identify suspicious GET requests that trigger deletions without proper authorization.'}, {'type': 'list_item', 'content': 'Use tools like curl or wget to test if deletion endpoints accept GET requests without CSRF tokens, for example:'}, {'type': 'list_item', 'content': 'curl -v "http://your-admidio-site/path/modules/documents-files.php?action=folder_delete&folder_uuid=TARGET_UUID"'}, {'type': 'list_item', 'content': "Check web server access logs for GET requests containing 'folder_delete' or 'file_delete' actions with UUID parameters."}, {'type': 'list_item', 'content': 'Monitor for unexpected deletions or missing documents/folders that could indicate exploitation.'}] [1]

Mitigation Strategies

The immediate mitigation steps include:

  • Upgrade Admidio to version 5.0.7 or later, where this vulnerability has been fixed.
  • If upgrading is not immediately possible, restrict access to the documents and files module endpoints to trusted users only, for example by IP whitelisting or network segmentation.
  • Disable the documents_files_module or set it to a mode that limits public access (avoid public mode with documents_files_module_enabled = 1).
  • Monitor and block HTTP GET requests attempting to delete folders or files by filtering requests with folder_delete or file_delete actions.
  • Educate users about the risk of CSRF attacks and advise them not to visit untrusted websites while logged into Admidio.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32817. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart