Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs.
Affected Package
- Ecosystem: Other
- Package: admidio
- Affected versions: < commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a
- Patched versions: >= commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a
Severity
Medium
CWE
CWE-918 - Server-Side Request Forgery (SSRF)
Details
In modules/sso/fetch_metadata.php (lines 21-49), the SSO metadata fetch validates the URL scheme is HTTPS (line 21), runs filter_var($rawUrl, FILTER_VALIDATE_URL) (line 27), resolves the hostname via gethostbyname() and checks the IP against private/reserved ranges (lines 34-38), then passes the original URL with the hostname to curl_init($url) at line 41.
The fundamental problem is at step 4: cURL resolves the hostname again independently. Between gethostbyname() at step 3 and curl_exec() at step 4, a DNS rebinding attack can cause the hostname to resolve to 169.254.169.254 (AWS metadata), 127.0.0.1, or any other internal address. No CURLOPT_RESOLVE is set to pin the hostname to the validated IP.
The TOCTOU window between gethostbyname() and curl_exec() is the core issue, and the patch does not close it.
PoC
#!/usr/bin/env python3
"""
CVE-2026-32812 - Admidio SSRF via DNS Rebinding in fetch_metadata.php
Vulnerability: modules/sso/fetch_metadata.php resolves hostname via gethostbyname()
and checks if IP is private, but passes the ORIGINAL URL (with hostname) to curl_init().
DNS rebinding can cause hostname to resolve to internal IP when cURL actually connects.
Real vulnerable PHP code copied from:
Admidio/admidio, modules/sso/fetch_metadata.php
This PoC runs the actual PHP validation logic via `php -r`.
"""
import subprocess
import sys
import os
SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
VULN_PHP = os.path.join(SCRIPT_DIR, "fetch_metadata.php")
def run_php(code):
return subprocess.run(["php", "-r", code], capture_output=True, text=True, timeout=15)
def main():
if not os.path.exists(VULN_PHP):
print(f"ERROR: Vulnerable PHP source not found at {VULN_PHP}")
sys.exit(1)
print(f"Source file: {VULN_PHP}")
print("Extracted from: Admidio/admidio, modules/sso/fetch_metadata.php\n")
php_code = r"""
echo "=== CVE-2026-32812: Admidio SSRF via DNS Rebinding ===\n\n";
// Extracted from: modules/sso/fetch_metadata.php lines 21-49
// Character-for-character copy of the validation logic:
function test_admidio_ssrf_filter($rawUrl, $simulated_ip) {
// Only allow https:// scheme (line 21)
if (!preg_match('#^https://#i', $rawUrl)) {
return ['blocked' => true, 'reason' => 'Not HTTPS'];
}
// Validate URL (line 27)
$url = filter_var($rawUrl, FILTER_VALIDATE_URL);
if (!$url) {
return ['blocked' => true, 'reason' => 'Invalid URL'];
}
// Resolve hostname and block internal/private IP ranges (lines 34-38)
$host = parse_url($url, PHP_URL_HOST);
$ip = $simulated_ip; // In real code: gethostbyname($host)
if (filter_var($ip, FILTER_VALIDATE_IP,
FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
return ['blocked' => true, 'reason' => "Private/reserved IP: $ip"];
}
// VULNERABILITY: curl_init($url) at line 41 uses original URL with hostname
return [
'blocked' => false,
'url_passed_to_curl' => $url,
'host' => $host,
'checked_ip' => $ip,
];
}
$tests = [
['https://attacker-rebind.example.com/saml/metadata', '93.184.216.34',
'Public IP at check time - passes, then DNS rebinds to 169.254.169.254'],
['https://attacker-rebind.example.com/saml/metadata', '169.254.169.254',
'After rebind to metadata - blocked IF re-checked'],
['https://192.168.1.1/admin', '192.168.1.1',
'Direct private IP - blocked'],
['https://10.0.0.1/internal', '10.0.0.1',
'Direct internal IP - blocked'],
['http://attacker.com/metadata', '93.184.216.34',
'HTTP scheme - blocked (HTTPS required)'],
['https://evil.com/metadata', '8.8.8.8',
'External HTTPS URL - passes'],
];
$vuln_found = false;
foreach ($tests as $test) {
$result = test_admidio_ssrf_filter($test[0], $test[1]);
$status = $result['blocked'] ? 'BLOCKED' : 'PASSED';
echo sprintf("%-65s => %s\n", $test[2], $status);
if (!$result['blocked']) {
$curl_host = parse_url($result['url_passed_to_curl'], PHP_URL_HOST);
if ($curl_host !== $result['checked_ip']) {
echo " VULN: cURL gets hostname '$curl_host' (checked IP: '{$result['checked_ip']}')\n";
echo " DNS can rebind between gethostbyname() and cURL connect\n";
$vuln_found = true;
}
}
}
echo "\n=== Key Finding ===\n";
echo "fetch_metadata.php line 41: curl_init(\$url) uses ORIGINAL URL with hostname\n";
echo "IP check on line 35 used gethostbyname() result.\n";
echo "TOCTOU window: DNS can rebind between check and cURL connection.\n";
echo "CURLOPT_RESOLVE is NOT set to pin hostname to checked IP.\n\n";
if ($vuln_found) {
echo "VULNERABILITY CONFIRMED\n";
}
"""
result = run_php(php_code)
print(result.stdout)
if result.stderr:
print(f"PHP stderr: {result.stderr}")
if "VULNERABILITY CONFIRMED" in result.stdout:
print("VULNERABILITY CONFIRMED")
sys.exit(0)
else:
print("Vulnerability test inconclusive")
sys.exit(1)
if __name__ == "__main__":
main()Steps to reproduce:
- Place the vulnerable
fetch_metadata.phpsource in the same directory. - Ensure PHP CLI is installed, then run
python3 poc.py. - Observe the TOCTOU window where cURL receives a hostname instead of the validated IP.
Expected output:
VULNERABILITY CONFIRMED
curl_init() uses the original hostname-based URL while IP validation used gethostbyname(), leaving a DNS rebinding TOCTOU window.Impact
An attacker can exploit the SSO metadata fetch endpoint to make the Admidio server issue HTTPS requests to internal services. On cloud-hosted instances, this enables reading the instance metadata service (169.254.169.254) to steal IAM credentials. On-premise deployments can be used to scan internal networks or access localhost services.
Suggested Remediation
Use CURLOPT_RESOLVE to pin the hostname to the IP address returned by gethostbyname(), ensuring cURL connects to the exact IP that was validated:
$resolve = ["$host:443:$ip"];
curl_setopt($ch, CURLOPT_RESOLVE, $resolve);Resources
- Incomplete fix commit: https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a
- Original CVE: CVE-2026-32812
AnalysisAI
DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.
Technical ContextAI
The vulnerability exists in modules/sso/fetch_metadata.php (lines 21-49), where the application attempts to prevent SSRF by resolving hostnames via gethostbyname() and filtering the resulting IP against private and reserved ranges using FILTER_VALIDATE_IP with FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE flags. However, the subsequent curl_init($url) call at line 41 receives the original hostname-based URL rather than the validated IP address. This creates a classic time-of-check-time-of-use (TOCTOU) vulnerability where cURL independently resolves the hostname again; between the initial gethostbyname() validation and curl_exec(), a DNS rebinding attack can cause the same hostname to resolve to a different IP address (such as 169.254.169.254 for AWS metadata services, 127.0.0.1, or other internal addresses). The incomplete patch (commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a) did not implement CURLOPT_RESOLVE to pin the hostname to the initially validated IP, leaving the TOCTOU window unpatched. The root cause is CWE-918 (Server-Side Request Forgery).
RemediationAI
Upgrade to Admidio version 5.0.7 or later, which includes the vendor patch commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a. However, verify that the patched version implements CURLOPT_RESOLVE to pin the hostname to the validated IP address; the disclosed patch does not appear to include this critical step. The complete fix requires adding curl_setopt($ch, CURLOPT_RESOLVE, ["$host:443:$ip"]) after curl_init() to ensure cURL connects only to the IP address that passed the private/reserved range validation. Until upgrade is feasible, restrict access to the /modules/sso/fetch_metadata.php endpoint to trusted administrators only via IP allowlisting or web application firewall rules. Disable SSO metadata fetching entirely if not in use. Monitor DNS resolution patterns from your Admidio server for anomalies that might indicate rebinding attempts. Reference: https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a and https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28296
GHSA-hcjj-chvw-fmw9