Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9.
Published: 2026-05-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because Admidio’s SAML Identity Provider implementation fails to honor the result of its signature validation routine. The validateSignature() method returns error strings when a SAML AuthnRequest or LogoutRequest is unsigned or contains an invalid signature, but the caller ignores this return value. Consequently, requests that should have been rejected are treated as valid, enabling an attacker to craft forged AuthnRequests or LogoutRequests and cause the system to authenticate a user or terminate a session without proper authorization. This flaw is a classic example of CWE‑347, Improper Validation of Cryptographic Signature, and permits unauthorized identity delegation with potential elevation of privileges.

Affected Systems

Admidio, the open‑source user‑management solution, is affected in all releases prior to 5.0.9. The issue is fixed in version 5.0.9 and later, so any deployment still running 5.0.8 or earlier is vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 8.2 and is not listed in the CISA KEV catalog. Because the vulnerability is triggered remotely by sending a crafted SAML request to the SSO endpoint, an attacker can execute it over the network without needing local access. No exploit code or public proof of concept has been reported, and the EPSS score is not available, but the potential for widespread impact and the high severity score indicate that the risk is significant if the system is exposed to the internet or to untrusted partners.

Generated by OpenCVE AI on May 7, 2026 at 05:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Admidio update to version 5.0.9 or later, which correctly checks the signature validation result.
  • If an immediate update is not possible, disable the SAML Single Sign‑On functionality or block external access to the SSO endpoint until the patch is applied to prevent forged requests from being processed.
  • After applying the patch, re‑enable the SAML SSO feature and verify that the smc_require_auth_signed configuration option is functioning correctly by testing with both signed and unsigned SAML requests.

Generated by OpenCVE AI on May 7, 2026 at 05:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-25cw-98hg-g3cg Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests
History

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9.
Title Admidio: SAML Signature Validation Result Ignored — Forged AuthnRequests and LogoutRequests Processed
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:52:49.029Z

Reserved: 2026-04-22T03:53:24.405Z

Link: CVE-2026-41669

cve-icon Vulnrichment

Updated: 2026-05-07T13:51:45.622Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:30.400

Modified: 2026-05-07T15:16:08.460

Link: CVE-2026-41669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:45:06Z

Weaknesses