Admidio open-source user management solution versions 5.0.0 to 5.0.7 contain an authentication bypass vulnerability in Docker deployments. The Apache configuration ignores .htaccess files that protect uploaded documents, allowing unauthenticated access to any uploaded file. File paths are exposed in upload response JSON, making exploitation straightforward. This affects the documents module and bypasses all role-based permissions configured in the UI. The vulnerability has been patched in version 5.0.8.