{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-32756",
"tracking": {
"current_release_date": "2026-03-25T10:02:47.778240Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-32756",
"initial_release_date": "2026-03-16T21:39:54.265106Z",
"revision_history": [
{
"date": "2026-03-16T21:39:54.265106Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-16T21:40:01.987608Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-19T15:31:04.251757Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-20T18:21:29.250521Z",
"number": "4",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-20T18:21:31.228992Z",
"number": "5",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T18:21:44.395846Z",
"number": "6",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-20T18:21:46.766286Z",
"number": "7",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T18:36:18.422857Z",
"number": "8",
"summary": "Unknown change."
},
{
"date": "2026-03-20T21:41:56.519972Z",
"number": "9",
"summary": "References created (2)."
},
{
"date": "2026-03-20T21:59:44.213298Z",
"number": "10",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-20T21:59:47.639648Z",
"number": "11",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-21T13:46:47.689251Z",
"number": "12",
"summary": "References removed (2)."
},
{
"date": "2026-03-22T00:52:10.570368Z",
"number": "13",
"summary": "References created (2)."
},
{
"date": "2026-03-22T11:25:12.010591Z",
"number": "14",
"summary": "References removed (2)."
},
{
"date": "2026-03-23T00:54:20.995522Z",
"number": "15",
"summary": "References created (2)."
},
{
"date": "2026-03-23T05:16:18.459959Z",
"number": "16",
"summary": "References removed (2)."
},
{
"date": "2026-03-24T06:57:30.827774Z",
"number": "17",
"summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)."
},
{
"date": "2026-03-24T06:57:43.746383Z",
"number": "18",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-24T20:56:43.896047Z",
"number": "19",
"summary": "References created (2)."
},
{
"date": "2026-03-24T20:57:15.697288Z",
"number": "20",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "20"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<5.0.7",
"product": {
"name": "vers:unknown/<5.0.7",
"product_id": "CSAFPID-5895587",
"product_identification_helper": {
"cpe": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "Admidio"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<5.0.7",
"product": {
"name": "vers:unknown/<5.0.7",
"product_id": "CSAFPID-5874020"
}
}
],
"category": "product_name",
"name": "admidio"
}
],
"category": "vendor",
"name": "Admidio"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32756",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "description",
"text": "### **Summary**\n\nA critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within `UploadHandlerFile.php`, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.\n\n### **Details**\n\n**1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)**\n\n**Root Cause Analysis:**\n\nThe root cause lies in a design flaw in `src/Infrastructure/Plugins/UploadHandlerFile.php`. The `UploadHandlerFile` class overrides two methods from its parent `UploadHandler` class:\n\n- `handle_form_data($file, $index)` — Validates the CSRF token. On failure, it sets `$file->error` and returns. The request is **not** terminated.\n- `handle_file_upload(...)` — Calls `parent::handle_file_upload()` to physically write the file to disk, then checks `if (!isset($file->error))` before running file extension validation (`allowedFileExtension()`).\n\nThe execution flow differs based on whether the CSRF token is valid:\n\n- **Valid CSRF token**: `handle_form_data()` does not set an error → extension check runs → invalid extension causes the uploaded file to be deleted from disk.\n- **Invalid CSRF token**: `handle_form_data()` sets `$file->error` → the `if (!isset($file->error))` guard in `handle_file_upload()` causes the extension validation to be skipped entirely → the cleanup code (`FileSystemUtils::deleteFileIfExists()`) is never reached → the file, already written to disk by the parent class, remains on the server and is directly accessible.\n\nIn summary, the file is always saved to disk by the parent class first. The extension check and cleanup only execute when no prior error exists. A deliberate CSRF token failure bypasses the extension filter while the file remains on disk.\n\n**Affected code** (`src/Infrastructure/Plugins/UploadHandlerFile.php`):\n\n```php\n// File is physically saved to disk here, before any Admidio-specific checks\n$file = parent::handle_file_upload($uploaded_file, $name, $size, $type, $error, $index, $content_range);\n\nif (!isset($file->error)) {\n // Extension validation is only reached when no prior error is set.\n // If CSRF validation failed in handle_form_data(), this block is skipped\n // and the uploaded file is never cleaned up from disk.\n if (!$newFile->allowedFileExtension()) {\n throw new Exception('SYS_FILE_EXTENSION_INVALID');\n }\n}\n```\n\n### **PoC**\n\nDocuments & Files Create folder\n![\"image\"](\"https://github.com/user-attachments/assets/2c927482-851b-4945-93d6-6e7a1e3bc21f\")
\n\n![\"image\"](\"https://github.com/user-attachments/assets/72443c87-e15f-4312-9659-8cd0661a4dae\")
\n\n\nFile Upload Try 1-1 (before request)\n![\"image\"](\"https://github.com/user-attachments/assets/d1ffaa12-aec1-45ff-a612-885d9554fb60\")
\n\n\nFile Upload Try 1-2 (after request)\n![\"image\"](\"https://github.com/user-attachments/assets/4ece4aac-1255-4189-9048-45ff3df4abcf\")
\n\n\n\nFile Upload Try 1-3 (After changing CSRF to a test value, request → PHP file upload succeeds)\n![\"image\"](\"https://github.com/user-attachments/assets/63f9d108-5e4f-4d32-96d2-09f9ad910873\")
\n\n\n✅ rcepoc.php Upload Success!\n![\"image\"](\"https://github.com/user-attachments/assets/4de99c31-dc3c-44f2-9936-19c3da0dfffb\")
\n\n\nAccess the rcepoc upload path confirmed in the response and check the web shell.\n![\"image\"](\"https://github.com/user-attachments/assets/0b770caf-e737-4cbd-97b9-ae191a8b79f5\")
\n\n\n🆗 WebShell Success\n![\"image\"](\"https://github.com/user-attachments/assets/e90f162b-7949-41c4-9fd1-aad3b6365adf\")
\n\n![\"image\"](\"https://github.com/user-attachments/assets/f45dae74-a830-4761-af31-f2ac28eb2586\")
\n\n\n**Steps to Reproduce:**\n\n1. Log in to Admidio as an authenticated user with upload permissions on the Documents & Files module.\n2. Navigate to a folder in the Documents & Files module and open the file upload dialog.\n3. Intercept the upload POST request to `/system/file_upload.php?module=documents_files&mode=upload_files&uuid=` using a proxy tool such as Burp Suite.\n4. Replace the value of the `adm_csrf_token` field with an arbitrary invalid string (e.g., `webshellgogo`).\n5. Set the file to be uploaded to a PHP webshell (e.g., ``).\n6. Forward the modified request.\n7. Observe that the server responds with HTTP `200 OK`. The JSON body contains `\"error\":\"Invalid or missing CSRF token!\"`, yet the file is physically present on the server at the path indicated in the `url` field.\n8. Access the uploaded PHP file directly via the URL provided in the response — arbitrary command execution is confirmed.\n\n### **Impact**\n\n- An authenticated attacker with upload permissions can bypass file extension validation and upload arbitrary server-side scripts such as PHP webshells.\n- This leads to Remote Code Execution (RCE), potentially resulting in full server compromise, sensitive data exfiltration, and lateral movement.\n- While authentication is required, the attack is not limited to administrators — any member granted upload rights may exploit this vulnerability, making the attack surface broader than it may initially appear.\n\n### **Remediation Measures**\n\n- The extension validation logic should be executed independently of the CSRF error state. It is recommended to move the extension check and the corresponding cleanup outside of the `if (!isset($file->error))` block so that files with disallowed extensions are always removed from disk, regardless of other errors.\n- Rather than relying on a blacklist of dangerous extensions (e.g., `.php`, `.phar`, `.phtml`), it is strongly recommended to implement a **whitelist** of permitted extensions appropriate to a documents module (e.g., `.pdf`, `.docx`, `.xlsx`, `.pptx`, `.txt`).\n- CSRF token validation should either be performed before the file is written to disk, or a validation failure should result in immediate request termination rather than merely setting an error flag on the file object.",
"title": "github - https://github.com/advisories/GHSA-95cq-p4w2-32w5"
},
{
"category": "description",
"text": "### **Summary**\n\nA critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within `UploadHandlerFile.php`, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.\n\n### **Details**\n\n**1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)**\n\n**Root Cause Analysis:**\n\nThe root cause lies in a design flaw in `src/Infrastructure/Plugins/UploadHandlerFile.php`. The `UploadHandlerFile` class overrides two methods from its parent `UploadHandler` class:\n\n- `handle_form_data($file, $index)` — Validates the CSRF token. On failure, it sets `$file->error` and returns. The request is **not** terminated.\n- `handle_file_upload(...)` — Calls `parent::handle_file_upload()` to physically write the file to disk, then checks `if (!isset($file->error))` before running file extension validation (`allowedFileExtension()`).\n\nThe execution flow differs based on whether the CSRF token is valid:\n\n- **Valid CSRF token**: `handle_form_data()` does not set an error → extension check runs → invalid extension causes the uploaded file to be deleted from disk.\n- **Invalid CSRF token**: `handle_form_data()` sets `$file->error` → the `if (!isset($file->error))` guard in `handle_file_upload()` causes the extension validation to be skipped entirely → the cleanup code (`FileSystemUtils::deleteFileIfExists()`) is never reached → the file, already written to disk by the parent class, remains on the server and is directly accessible.\n\nIn summary, the file is always saved to disk by the parent class first. The extension check and cleanup only execute when no prior error exists. A deliberate CSRF token failure bypasses the extension filter while the file remains on disk.\n\n**Affected code** (`src/Infrastructure/Plugins/UploadHandlerFile.php`):\n\n```php\n// File is physically saved to disk here, before any Admidio-specific checks\n$file = parent::handle_file_upload($uploaded_file, $name, $size, $type, $error, $index, $content_range);\n\nif (!isset($file->error)) {\n // Extension validation is only reached when no prior error is set.\n // If CSRF validation failed in handle_form_data(), this block is skipped\n // and the uploaded file is never cleaned up from disk.\n if (!$newFile->allowedFileExtension()) {\n throw new Exception('SYS_FILE_EXTENSION_INVALID');\n }\n}\n```\n\n### **PoC**\n\nDocuments & Files Create folder\n\n\n\n\n\nFile Upload Try 1-1 (before request)\n\n\n\nFile Upload Try 1-2 (after request)\n\n\n\n\nFile Upload Try 1-3 (After changing CSRF to a test value, request → PHP file upload succeeds)\n\n\n\n✅ rcepoc.php Upload Success!\n\n\n\nAccess the rcepoc upload path confirmed in the response and check the web shell.\n\n\n\n🆗 WebShell Success\n\n\n\n\n\n**Steps to Reproduce:**\n\n1. Log in to Admidio as an authenticated user with upload permissions on the Documents & Files module.\n2. Navigate to a folder in the Documents & Files module and open the file upload dialog.\n3. Intercept the upload POST request to `/system/file_upload.php?module=documents_files&mode=upload_files&uuid=` using a proxy tool such as Burp Suite.\n4. Replace the value of the `adm_csrf_token` field with an arbitrary invalid string (e.g., `webshellgogo`).\n5. Set the file to be uploaded to a PHP webshell (e.g., ``).\n6. Forward the modified request.\n7. Observe that the server responds with HTTP `200 OK`. The JSON body contains `\"error\":\"Invalid or missing CSRF token!\"`, yet the file is physically present on the server at the path indicated in the `url` field.\n8. Access the uploaded PHP file directly via the URL provided in the response — arbitrary command execution is confirmed.\n\n### **Impact**\n\n- An authenticated attacker with upload permissions can bypass file extension validation and upload arbitrary server-side scripts such as PHP webshells.\n- This leads to Remote Code Execution (RCE), potentially resulting in full server compromise, sensitive data exfiltration, and lateral movement.\n- While authentication is required, the attack is not limited to administrators — any member granted upload rights may exploit this vulnerability, making the attack surface broader than it may initially appear.\n\n### **Remediation Measures**\n\n- The extension validation logic should be executed independently of the CSRF error state. It is recommended to move the extension check and the corresponding cleanup outside of the `if (!isset($file->error))` block so that files with disallowed extensions are always removed from disk, regardless of other errors.\n- Rather than relying on a blacklist of dangerous extensions (e.g., `.php`, `.phar`, `.phtml`), it is strongly recommended to implement a **whitelist** of permitted extensions appropriate to a documents module (e.g., `.pdf`, `.docx`, `.xlsx`, `.pptx`, `.txt`).\n- CSRF token validation should either be performed before the file is written to disk, or a validation failure should result in immediate request termination rather than merely setting an error flag on the file object.",
"title": "github - https://api.github.com/advisories/GHSA-95cq-p4w2-32w5"
},
{
"category": "description",
"text": "Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.",
"title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32756.json"
},
{
"category": "description",
"text": "Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.",
"title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32756"
},
{
"category": "other",
"text": "0.00085",
"title": "EPSS"
},
{
"category": "other",
"text": "3.2",
"title": "NCSC Score"
},
{
"category": "other",
"text": "The value of the most recent EPSS score, Is related to (a version of) an uncommon product, There is exploit data available from source Nvd, Is related to CWE-434 (Unrestricted Upload of File with Dangerous Type)",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5874020",
"CSAFPID-5895587"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://github.com/advisories/GHSA-95cq-p4w2-32w5"
},
{
"category": "external",
"summary": "Source raw - github",
"url": "https://api.github.com/advisories/GHSA-95cq-p4w2-32w5"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-95cq-p4w2-32w5"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32756.json"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32756"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-95cq-p4w2-32w5"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32756"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 8.8,
"baseSeverity": "HIGH"
},
"products": [
"CSAFPID-5874020",
"CSAFPID-5895587"
]
}
],
"title": "CVE-2026-32756"
}
]
}