Skip to main content

Admidio CVE-2026-42194

| EUVDEUVD-2026-28296 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-05 https://github.com/Admidio/admidio GHSA-hcjj-chvw-fmw9
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:00 vuln.today
Analysis Generated
May 05, 2026 - 21:00 vuln.today

DescriptionGitHub Advisory

Summary

The incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs.

Affected Package

  • Ecosystem: Other
  • Package: admidio
  • Affected versions: < commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a
  • Patched versions: >= commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a

Severity

Medium

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Details

In modules/sso/fetch_metadata.php (lines 21-49), the SSO metadata fetch validates the URL scheme is HTTPS (line 21), runs filter_var($rawUrl, FILTER_VALIDATE_URL) (line 27), resolves the hostname via gethostbyname() and checks the IP against private/reserved ranges (lines 34-38), then passes the original URL with the hostname to curl_init($url) at line 41.

The fundamental problem is at step 4: cURL resolves the hostname again independently. Between gethostbyname() at step 3 and curl_exec() at step 4, a DNS rebinding attack can cause the hostname to resolve to 169.254.169.254 (AWS metadata), 127.0.0.1, or any other internal address. No CURLOPT_RESOLVE is set to pin the hostname to the validated IP.

The TOCTOU window between gethostbyname() and curl_exec() is the core issue, and the patch does not close it.

PoC

python
#!/usr/bin/env python3
"""
CVE-2026-32812 - Admidio SSRF via DNS Rebinding in fetch_metadata.php

Vulnerability: modules/sso/fetch_metadata.php resolves hostname via gethostbyname()
and checks if IP is private, but passes the ORIGINAL URL (with hostname) to curl_init().
DNS rebinding can cause hostname to resolve to internal IP when cURL actually connects.

Real vulnerable PHP code copied from:
  Admidio/admidio, modules/sso/fetch_metadata.php

This PoC runs the actual PHP validation logic via `php -r`.
"""

import subprocess
import sys
import os

SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
VULN_PHP = os.path.join(SCRIPT_DIR, "fetch_metadata.php")


def run_php(code):
    return subprocess.run(["php", "-r", code], capture_output=True, text=True, timeout=15)


def main():
    if not os.path.exists(VULN_PHP):
        print(f"ERROR: Vulnerable PHP source not found at {VULN_PHP}")
        sys.exit(1)

    print(f"Source file: {VULN_PHP}")
    print("Extracted from: Admidio/admidio, modules/sso/fetch_metadata.php\n")

    php_code = r"""
    echo "=== CVE-2026-32812: Admidio SSRF via DNS Rebinding ===\n\n";

    // Extracted from: modules/sso/fetch_metadata.php lines 21-49
    // Character-for-character copy of the validation logic:
    function test_admidio_ssrf_filter($rawUrl, $simulated_ip) {
        // Only allow https:// scheme (line 21)
        if (!preg_match('#^https://#i', $rawUrl)) {
            return ['blocked' => true, 'reason' => 'Not HTTPS'];
        }

        // Validate URL (line 27)
        $url = filter_var($rawUrl, FILTER_VALIDATE_URL);
        if (!$url) {
            return ['blocked' => true, 'reason' => 'Invalid URL'];
        }

        // Resolve hostname and block internal/private IP ranges (lines 34-38)
        $host = parse_url($url, PHP_URL_HOST);
        $ip = $simulated_ip;  // In real code: gethostbyname($host)

        if (filter_var($ip, FILTER_VALIDATE_IP,
            FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
            return ['blocked' => true, 'reason' => "Private/reserved IP: $ip"];
        }

        // VULNERABILITY: curl_init($url) at line 41 uses original URL with hostname
        return [
            'blocked' => false,
            'url_passed_to_curl' => $url,
            'host' => $host,
            'checked_ip' => $ip,
        ];
    }

    $tests = [
        ['https://attacker-rebind.example.com/saml/metadata', '93.184.216.34',
         'Public IP at check time - passes, then DNS rebinds to 169.254.169.254'],
        ['https://attacker-rebind.example.com/saml/metadata', '169.254.169.254',
         'After rebind to metadata - blocked IF re-checked'],
        ['https://192.168.1.1/admin', '192.168.1.1',
         'Direct private IP - blocked'],
        ['https://10.0.0.1/internal', '10.0.0.1',
         'Direct internal IP - blocked'],
        ['http://attacker.com/metadata', '93.184.216.34',
         'HTTP scheme - blocked (HTTPS required)'],
        ['https://evil.com/metadata', '8.8.8.8',
         'External HTTPS URL - passes'],
    ];

    $vuln_found = false;
    foreach ($tests as $test) {
        $result = test_admidio_ssrf_filter($test[0], $test[1]);
        $status = $result['blocked'] ? 'BLOCKED' : 'PASSED';
        echo sprintf("%-65s => %s\n", $test[2], $status);

        if (!$result['blocked']) {
            $curl_host = parse_url($result['url_passed_to_curl'], PHP_URL_HOST);
            if ($curl_host !== $result['checked_ip']) {
                echo "  VULN: cURL gets hostname '$curl_host' (checked IP: '{$result['checked_ip']}')\n";
                echo "  DNS can rebind between gethostbyname() and cURL connect\n";
                $vuln_found = true;
            }
        }
    }

    echo "\n=== Key Finding ===\n";
    echo "fetch_metadata.php line 41: curl_init(\$url) uses ORIGINAL URL with hostname\n";
    echo "IP check on line 35 used gethostbyname() result.\n";
    echo "TOCTOU window: DNS can rebind between check and cURL connection.\n";
    echo "CURLOPT_RESOLVE is NOT set to pin hostname to checked IP.\n\n";

    if ($vuln_found) {
        echo "VULNERABILITY CONFIRMED\n";
    }
    """

    result = run_php(php_code)
    print(result.stdout)
    if result.stderr:
        print(f"PHP stderr: {result.stderr}")

    if "VULNERABILITY CONFIRMED" in result.stdout:
        print("VULNERABILITY CONFIRMED")
        sys.exit(0)
    else:
        print("Vulnerability test inconclusive")
        sys.exit(1)


if __name__ == "__main__":
    main()

Steps to reproduce:

  1. Place the vulnerable fetch_metadata.php source in the same directory.
  2. Ensure PHP CLI is installed, then run python3 poc.py.
  3. Observe the TOCTOU window where cURL receives a hostname instead of the validated IP.

Expected output:

VULNERABILITY CONFIRMED
curl_init() uses the original hostname-based URL while IP validation used gethostbyname(), leaving a DNS rebinding TOCTOU window.

Impact

An attacker can exploit the SSO metadata fetch endpoint to make the Admidio server issue HTTPS requests to internal services. On cloud-hosted instances, this enables reading the instance metadata service (169.254.169.254) to steal IAM credentials. On-premise deployments can be used to scan internal networks or access localhost services.

Suggested Remediation

Use CURLOPT_RESOLVE to pin the hostname to the IP address returned by gethostbyname(), ensuring cURL connects to the exact IP that was validated:

php
$resolve = ["$host:443:$ip"];
curl_setopt($ch, CURLOPT_RESOLVE, $resolve);

Resources

  • Incomplete fix commit: https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a
  • Original CVE: CVE-2026-32812

AnalysisAI

DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.

Technical ContextAI

The vulnerability exists in modules/sso/fetch_metadata.php (lines 21-49), where the application attempts to prevent SSRF by resolving hostnames via gethostbyname() and filtering the resulting IP against private and reserved ranges using FILTER_VALIDATE_IP with FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE flags. However, the subsequent curl_init($url) call at line 41 receives the original hostname-based URL rather than the validated IP address. This creates a classic time-of-check-time-of-use (TOCTOU) vulnerability where cURL independently resolves the hostname again; between the initial gethostbyname() validation and curl_exec(), a DNS rebinding attack can cause the same hostname to resolve to a different IP address (such as 169.254.169.254 for AWS metadata services, 127.0.0.1, or other internal addresses). The incomplete patch (commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a) did not implement CURLOPT_RESOLVE to pin the hostname to the initially validated IP, leaving the TOCTOU window unpatched. The root cause is CWE-918 (Server-Side Request Forgery).

RemediationAI

Upgrade to Admidio version 5.0.7 or later, which includes the vendor patch commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a. However, verify that the patched version implements CURLOPT_RESOLVE to pin the hostname to the validated IP address; the disclosed patch does not appear to include this critical step. The complete fix requires adding curl_setopt($ch, CURLOPT_RESOLVE, ["$host:443:$ip"]) after curl_init() to ensure cURL connects only to the IP address that passed the private/reserved range validation. Until upgrade is feasible, restrict access to the /modules/sso/fetch_metadata.php endpoint to trusted administrators only via IP allowlisting or web application firewall rules. Disable SSO metadata fetching entirely if not in use. Monitor DNS resolution patterns from your Admidio server for anomalies that might indicate rebinding attempts. Reference: https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a and https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-42194 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy