Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7.
Published: 2026-03-20
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF and Local File Read leading to sensitive data exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unrestricted URL fetch in the SSO Metadata API. It accepts an arbitrary URL via the GET parameter and forwards it directly to file_get_contents after only a basic FILTER_VALIDATE_URL check, which permits file://, http://, ftp://, data://, and php:// scheme URIs. As a result, an attacker can trigger Server‑Side Request Forgery to reach internal services and can read arbitrary local files, including cloud instance metadata. The weakness is identified as CWE‑918.

Affected Systems

Admidio user management solution versions 5.0.0 through 5.0.6 are affected. The fix was applied in version 5.0.7. Only authenticated administrators have access to the vulnerable endpoint.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. However, exploitation requires administrative credentials, which limits the attack surface. If a privileged user is compromised, the attacker could read sensitive data or access internal services via SSRF. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation at this time.

Generated by OpenCVE AI on March 23, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to update Admidio to version 5.0.7 or later.
  • If patching cannot be performed immediately, consider restricting or disabling access to the SSO metadata fetch endpoint for non‑essential administrators or by using network segmentation.
  • Verify that the file:// wrapper is disabled on the web server if possible to prevent local file reads.

Generated by OpenCVE AI on March 23, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6j68-gcc3-mq73 Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint
History

Mon, 23 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7.
Title Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:08:53.629Z

Reserved: 2026-03-16T17:35:36.696Z

Link: CVE-2026-32812

cve-icon Vulnrichment

Updated: 2026-03-20T16:55:29.311Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:35.043

Modified: 2026-03-23T15:24:40.083

Link: CVE-2026-32812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:40Z

Weaknesses