CVE-2026-32817
- Source
- https://cve.org/CVERecord?id=CVE-2026-32817
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32817.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32817
- Aliases
- Published
- 2026-03-20T02:01:22.118Z
- Modified
- 2026-04-02T13:26:13.224305Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
- Summary
- Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
- Details
-
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folderdelete and filedelete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documentsfilesmoduleenabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32817.json", "cwe_ids": [ "CWE-862" ] }- References