GHSA-RMPJ-3X5M-9M5F: Missing Authorization and CSRF in Admidio Document Deletion
Vulnerability ID: GHSA-RMPJ-3X5M-9M5F
CVSS Score: 9.1
Published: 2026-03-16
Admidio versions 5.0.0 through 5.0.6 suffer from a critical vulnerability in the 'Documents and Files' module. The application fails to properly enforce authorization and CSRF protections for destructive operations involving file and folder deletion, leading to unauthorized data destruction.
TL;DR
A missing authorization and CSRF vulnerability in Admidio allows unauthenticated or under-privileged users to permanently delete files and folders via simple HTTP GET requests.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862, CWE-352, CWE-306
- Attack Vector: Network
- CVSS Score: 9.1 (High)
- Impact: Permanent Data Deletion (High Integrity/Availability Impact)
- Exploit Status: Proof of Concept Available
- Authentication Required: None (in public mode)
Affected Systems
- Admidio Documents and Files Module
-
Admidio: >= 5.0.0, <= 5.0.6 (Fixed in:
5.0.7)
Mitigation Strategies
- Upgrade Admidio to version 5.0.7 or later.
- Disable public access to the Documents and Files module if immediate patching is not feasible.
- Implement WAF rules to block HTTP GET requests attempting to trigger deletion handlers.
Remediation Steps:
- Verify the current Admidio installation version.
- Backup the Admidio database and file system.
- Apply the 5.0.7 update following official Admidio upgrade procedures.
- Verify that file and folder deletions now strictly require HTTP POST requests and valid CSRF tokens.
References
Read the full report for GHSA-RMPJ-3X5M-9M5F on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)