Summary
Summary
A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.
Details
1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)
Root Cause Analysis:
The root cause lies in a design flaw in src/Infrastructure/Plugins/UploadHandlerFile.php. The UploadHandlerFile class overrides two methods from its parent UploadHandler class:
handle_form_data($file, $index), Validates the CSRF token. On failure, it sets$file->errorand returns. The request is not terminated.handle_file_upload(...), Callsparent::handle_file_upload()to physically write the file to disk, then checksif (!isset($file->error))before running file extension validation (allowedFileExtension()).
The execution flow differs based on whether the CSRF token is valid:
- Valid CSRF token:
handle_form_data()does not set an error → extension check runs → invalid extension causes the uploaded file to be deleted from disk. - Invalid CSRF token:
handle_form_data()sets$file->error→ theif (!isset($file->error))guard inhandle_file_upload()causes the extension validation to be skipped entirely → the cleanup code (FileSystemUtils::deleteFileIfExists()) is never reached → the file, already written to disk by the parent class, remains on the server and is directly accessible.
In summary, the file is always saved to disk by the parent class first. The extension check and cleanup only execute when no prior error exists. A deliberate CSRF token failure bypasses the extension filter while the file remains on disk.
Affected code (src/Infrastructure/Plugins/UploadHandlerFile.php):
// File is physically saved to disk here, before any Admidio-specific checks
$file = parent::handle_file_upload($uploaded_file, $name, $size, $type, $error, $index, $content_range);
if (!isset($file->error)) {
// Extension validation is only reached when no prior error is set.
// If CSRF validation failed in handle_form_data(), this block is skipped
// and the uploaded file is never cleaned up from disk.
if (!$newFile->allowedFileExtension()) {
throw new Exception('SYS_FILE_EXTENSION_INVALID');
}
}
PoC
Documents & Files Create folder
File Upload Try 1-1 (before request)
File Upload Try 1-2 (after request)
File Upload Try 1-3 (After changing CSRF to a test value, request → PHP file upload succeeds)
✅ rcepoc.php Upload Success!
Access the rcepoc upload path confirmed in the response and check the web shell.
🆗 WebShell Success
Steps to Reproduce:
- Log in to Admidio as an authenticated user with upload permissions on the Documents & Files module.
- Navigate to a folder in the Documents & Files module and open the file upload dialog.
- Intercept the upload POST request to
/system/file_upload.php?module=documents_files&mode=upload_files&uuid=<folder_uuid>using a proxy tool such as Burp Suite. - Replace the value of the
adm_csrf_tokenfield with an arbitrary invalid string (e.g.,webshellgogo). - Set the file to be uploaded to a PHP webshell (e.g.,
<?php system($_GET[1]); ?>). - Forward the modified request.
- Observe that the server responds with HTTP
200 OK. The JSON body contains"error":"Invalid or missing CSRF token!", yet the file is physically present on the server at the path indicated in theurlfield. - Access the uploaded PHP file directly via the URL provided in the response, arbitrary command execution is confirmed.
Impact
- An authenticated attacker with upload permissions can bypass file extension validation and upload arbitrary server-side scripts such as PHP webshells.
- This leads to Remote Code Execution (RCE), potentially resulting in full server compromise, sensitive data exfiltration, and lateral movement.
- While authentication is required, the attack is not limited to administrators, any member granted upload rights may exploit this vulnerability, making the attack surface broader than it may initially appear.
Remediation Measures
- The extension validation logic should be executed independently of the CSRF error state. It is recommended to move the extension check and the corresponding cleanup outside of the
if (!isset($file->error))block so that files with disallowed extensions are always removed from disk, regardless of other errors. - Rather than relying on a blacklist of dangerous extensions (e.g.,
.php,.phar,.phtml), it is strongly recommended to implement a whitelist of permitted extensions appropriate to a documents module (e.g.,.pdf,.docx,.xlsx,.pptx,.txt). - CSRF token validation should either be performed before the file is written to disk, or a validation failure should result in immediate request termination rather than merely setting an error flag on the file object.
Impact
The application accepts file uploads without adequately restricting the file type or content. Typical impact: remote code execution if the uploaded file can be served and executed on the server.
CVE-2026-32756 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.0.7); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-32756? CVE-2026-32756 is a high-severity unrestricted upload of dangerous file types vulnerability in admidio/admidio (composer), affecting versions <= 5.0.6. It is fixed in 5.0.7. The application accepts file uploads without adequately restricting the file type or content.
- How severe is CVE-2026-32756? CVE-2026-32756 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of admidio/admidio are affected by CVE-2026-32756? admidio/admidio (composer) versions <= 5.0.6 is affected.
- Is there a fix for CVE-2026-32756? Yes. CVE-2026-32756 is fixed in 5.0.7. Upgrade to this version or later.
- Is CVE-2026-32756 exploitable, and should I be worried? Whether CVE-2026-32756 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-32756 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-32756? Upgrade
admidio/admidioto 5.0.7 or later.