CVE-2026-32817 Overview
CVE-2026-32817 is a critical authorization bypass vulnerability affecting Admidio, an open-source user management solution. The vulnerability exists in the documents and files module, which fails to properly verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check via getFolderForDownload and getFileForDownload functions before calling delete(), and critically, they never validate a CSRF token. Since target UUIDs are read from $_GET parameters, deletion can be triggered by a plain HTTP GET request, enabling both unauthenticated and authenticated attackers to permanently destroy document libraries.
Critical Impact
Unauthenticated attackers can permanently destroy entire document libraries when the module is in public mode, while authenticated users with view-only access can delete content they should only be able to read.
Affected Products
- Admidio versions 5.0.0 through 5.0.6
- Admidio installations with documents and files module enabled
- Public and authenticated Admidio deployments
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-32817 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32817
Vulnerability Analysis
This vulnerability combines two distinct security flaws: missing authorization checks (CWE-862) and missing CSRF token validation. The documents and files module in Admidio performs only a VIEW-level permission check when handling deletion requests, rather than verifying DELETE permissions. The authorization functions getFolderForDownload() and getFileForDownload() are designed to validate read access, not write or delete operations, yet they are used as the sole authorization gate before executing destructive delete() operations.
The absence of CSRF protection compounds this issue significantly. Since deletion is triggered via GET request parameters containing folder or file UUIDs, an attacker can craft malicious links that, when clicked by any authenticated user, will execute the deletion with that user's session context. In public mode configurations where documents_files_module_enabled = 1 and folders are marked with fol_public = true, no authentication is required at all.
Root Cause
The root cause is improper access control implementation in the modules/documents-files.php file. The developers implemented view-level authorization checks but failed to implement corresponding delete-level authorization checks. The vulnerable code path calls getFolderForDownload() or getFileForDownload() to validate access, but these functions only verify whether the user can view the resource—not whether they have permission to modify or delete it. Additionally, the use of GET requests for state-changing operations violates secure development practices and enables CSRF attacks without token validation.
Attack Vector
The vulnerability is exploitable remotely over the network without requiring any user interaction or special privileges when targeting public folders. An attacker can construct a malicious URL containing the target folder or file UUID and send it directly to the vulnerable endpoint. When the Admidio installation has documents_files_module_enabled set to 1 and target folders are marked public, the attack succeeds without authentication.
For non-public configurations, the attack requires either tricking an authenticated user into clicking a malicious link (CSRF scenario) or using any valid authenticated session with minimal view permissions. The attacker identifies target UUIDs through enumeration or information disclosure, then issues GET requests to the folder_delete or file_delete handlers. The lack of proper authorization allows the deletion to proceed, permanently destroying the targeted content.
Detection Methods for CVE-2026-32817
Indicators of Compromise
- Unexpected HTTP GET requests to modules/documents-files.php with folder_delete or file_delete actions
- Bulk or sequential deletion requests with varying UUID parameters
- Deletion requests originating from external referrers or containing CSRF-like patterns
- Missing or corrupted files in the Admidio document library without corresponding administrative actions
- Audit logs showing deletions performed by users who should only have view permissions
Detection Strategies
- Monitor web server access logs for GET requests containing folder_delete or file_delete parameters
- Implement alerting for deletion operations performed by users with view-only permissions
- Deploy web application firewall (WAF) rules to detect and block suspicious deletion request patterns
- Review Admidio application logs for unauthorized deletion attempts or permission mismatches
Monitoring Recommendations
- Enable comprehensive logging for all file and folder operations in Admidio
- Implement file integrity monitoring on the Admidio document storage directories
- Configure alerts for unusual patterns of document deletion activity
- Monitor for external referrer headers on deletion endpoints indicating potential CSRF attacks
How to Mitigate CVE-2026-32817
Immediate Actions Required
- Upgrade Admidio to version 5.0.7 or later immediately
- Review document library contents and restore from backups if unauthorized deletions are suspected
- Temporarily disable the documents and files module if immediate upgrade is not possible
- Audit access logs for evidence of exploitation attempts
- Restrict network access to the Admidio installation while remediation is in progress
Patch Information
The Admidio development team has addressed this vulnerability in version 5.0.7. The fix implements proper DELETE-level authorization checks and adds CSRF token validation for all state-changing operations. Organizations should upgrade immediately by downloading the latest release from the official Admidio repository. For detailed technical information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-rmpj-3x5m-9m5f.
Workarounds
- Disable the documents and files module by setting documents_files_module_enabled = 0 in configuration until patching is possible
- Remove public access to all folders by ensuring fol_public = false for all document folders
- Implement web application firewall rules to block GET requests containing folder_delete or file_delete parameters
- Restrict access to the Admidio installation at the network level using IP whitelisting or VPN requirements
- Enable additional authentication layers such as basic authentication at the web server level as a temporary measure
# Disable documents and files module in Admidio configuration
# Edit adm_my_files/config.php and ensure:
$gSettingsManager->set('documents_files_module_enabled', 0);
# Or restrict access via web server (Apache example)
<LocationMatch "/modules/documents-files.php">
Require ip 10.0.0.0/8 192.168.0.0/16
</LocationMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
