CVE-2026-32756: File Upload(RCE) Vulnerability in admidio

March 16, 2026 (updated March 20, 2026)

A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.

References

github.com/Admidio/admidio
github.com/Admidio/admidio/releases/tag/v5.0.7
github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5
github.com/advisories/GHSA-95cq-p4w2-32w5
nvd.nist.gov/vuln/detail/CVE-2026-32756

Code Behaviors & Features

Detect and mitigate CVE-2026-32756 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →