Main Vulnerability Database Vulnerabilities #VU132283

Authorization bypass through user-controlled key in Admidio - CVE-2026-47230

Published: May 25, 2026

Vulnerability identifier: #VU132283

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-47230

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Admidio

Affected software:
Admidio

Detailed vulnerability description

The vulnerability allows a remote user to modify file names and descriptions in folders they cannot upload to.

The vulnerability exists due to authorization bypass through user-controlled key in modules/documents-files.php mode file_rename_save and DocumentsService::renameFile() when handling file rename requests with a folder_uuid that is checked separately from the target file_uuid. A remote user can send a specially crafted request referencing an uploadable folder_uuid and a viewable file_uuid from another folder to modify file names and descriptions in folders they cannot upload to.

The issue affects files in folders the user can view but not edit, and the file remains in its original folder while its name and description are changed.

How to mitigate CVE-2026-47230

Install security update from vendor's website.

Sources

https://github.com/Admidio/admidio/security/advisories/GHSA-q6w3-hpfv-rg36

Authorization bypass through user-controlled key in Admidio - CVE-2026-47230

Detailed vulnerability description

How to mitigate CVE-2026-47230

Sources

Please verify you're human