Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the registered ACS URL (smc_acs_url) stored in the database for the corresponding service provider client. An attacker who knows the Entity ID of a registered SP client can craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response -- containing user identity attributes (login name, email, roles, profile fields) -- to an attacker-controlled URL. This issue has been patched in version 5.0.9.
Published: 2026-05-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability occurs when Admidio’s Identity Provider accepts the AssertionConsumerServiceURL that appears in an incoming SAML AuthnRequest without validating it against the registered ACS URL stored for the target service provider. An attacker who knows a registered Service Provider’s Entity ID can send a crafted AuthnRequest that includes an arbitrary ACS URL. The IdP then returns a signed SAML response, which contains user identity attributes such as username, email address, roles, and profile fields, to the attacker‑controlled endpoint. This allows the attacker to capture the response and potentially impersonate the user or exfiltrate sensitive data. The flaw is an input‑validation weakness (CWE‑20) and improper URL handling (CWE‑601).

Affected Systems

All installations of Admidio 5.0.x that are configured as a SAML Identity Provider and use the default SSO module are impacted. Versions prior to 5.0.9 run the vulnerable code. Users who authenticate through the IdP are at risk.

Risk and Exploitability

The vulnerability scores an 8.2 on the CVSS scale, indicating high severity. An exploitable path exists over the network, as any remote party can send a manipulated AuthnRequest to the IdP endpoint. The EPSS metric is unavailable, and the issue is not listed in the CISA KEV catalog. Attackers can therefore read privileged user information without needing prior authentication or additional privileges, making the risk of exploitation significant for exposed IdPs.

Generated by OpenCVE AI on May 7, 2026 at 05:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Admidio version 5.0.9 or later, which validates the AssertionConsumerServiceURL against the registered ACS URL.
  • If an upgrade is not immediately possible, restrict the IdP endpoint to trusted networks or block external SAML AuthnRequest traffic to reduce the attack surface.
  • As a temporary mitigation, disable the SAML IdP function in the Admidio configuration until a patch can be applied, ensuring that no SAML responses are sent to untrusted URLs.

Generated by OpenCVE AI on May 7, 2026 at 05:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9w9-87c8-m235 Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the registered ACS URL (smc_acs_url) stored in the database for the corresponding service provider client. An attacker who knows the Entity ID of a registered SP client can craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response -- containing user identity attributes (login name, email, roles, profile fields) -- to an attacker-controlled URL. This issue has been patched in version 5.0.9.
Title Admidio: SAML Response Sent to Unvalidated Assertion Consumer Service URL from AuthnRequest
Weaknesses CWE-20
CWE-601
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:44:01.169Z

Reserved: 2026-04-22T03:53:24.405Z

Link: CVE-2026-41670

cve-icon Vulnrichment

Updated: 2026-05-07T13:43:49.583Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:30.993

Modified: 2026-05-07T15:16:08.560

Link: CVE-2026-41670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:45:06Z

Weaknesses