{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32817", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.696Z", "datePublished": "2026-03-20T02:01:22.118Z", "dateUpdated": "2026-03-20T02:01:22.118Z"}, "containers": {"cna": {"title": "Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": ">= 5.0.0, < 5.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:01:22.118Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7."}], "source": {"advisory": "GHSA-rmpj-3x5m-9m5f", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7."}], "id": "CVE-2026-32817", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:35.380", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-03-20T03:20:44.943471+00:00", "value": {"mitigation_remediation": ["Upgrade Admidio to version 5.0.7 or later where the issue is fixed.", "If an upgrade is not immediately possible, disable the documents_files_module_enabled flag or configure all folders as non\u2011public (fol_public = false).", "Implement a CSRF token check in the delete action handlers and enforce write\u2011level authorization before executing delete operations."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized data deletion"}, "threat_synthesis": {"affected_systems": "The bug affects Admidio community edition versions 5.0.0 through 5.0.6 inclusive. Any installation running modules/documents-files.php with the documents_files_module_enabled flag set to 1 and containing public folders (fol_public = true) is vulnerable. Even when login is required, users with only view permissions can delete content they are not allowed to delete.", "description_and_impact": "Admidio\u2019s document and file module performs only a VIEW authorization check before deleting entries and fails to verify a CSRF token. Deletion is triggered by a plain HTTP GET request and the identifiers come directly from the query string. Consequently, attackers can delete folders or files without proper authorization, potentially causing permanent loss of all document library content. The weakness is a missing authorization check and missing CSRF protection (CWE\u2011862).", "risk_and_exploitability": "The CVSS v3.1 score of 9.1 classifies this flaw as critical. Although EPSS data is not available, the flaw is not listed in the CISA KEV catalog, indicating it may not be actively exploited. However, the vulnerability is trivially exploitable via a GET request, either by unauthenticated users in public mode or by any authenticated user with merely view rights. The impact is destructive and local to the instance, potentially resulting in total loss of document assets."}}}}, "created": "2026-03-20T08:53:09.819730+00:00", "updated": "2026-03-20T10:43:03.303517+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}