Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9.
Published: 2026-05-07
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Admidio’s OIDC introspection endpoint always replies with {"active": true} for any request, ignoring the token’s validity, expiration, revocation status, or authenticity. The same flaw applies to the revocation endpoint, which always reports a token as revoked even when no revocation occurs. Consequently, any resource server that trusts this endpoint will accept every bearer token, allowing attackers to authenticate with any credentials and gain unauthorized access. The weakness is a classic example of missing authentication, classified as CWE‑287.

Affected Systems

The issue affects Admidio 5.0.x releases prior to 5.0.9. Systems using this open‑source user management application and relying on Admidio’s OIDC endpoints for token validation are subject to risk.

Risk and Exploitability

With a CVSS score of 6.8 the vulnerability has moderate severity. No EPSS score is reported, and the flaw is not listed in the CISA KEV catalog, suggesting no widely documented exploitation. Based on the description, the attacker does not need any privileges within Admidio; an external resource server that trusts the introspection endpoint can simply query it, receiving a positive response for any token. Thus the likely attack vector is remote, requiring only network reach to the endpoint to achieve authentication bypass.

Generated by OpenCVE AI on May 7, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Admidio 5.0.9 patch or later to disable the flawed introspection and revocation behavior
  • Reconfigure or upgrade your resource servers to avoid relying on the introspection endpoint and instead validate tokens locally or with a trusted provider
  • If upgrading immediately is not possible, block external access to /modules/sso/index.php/oidc/introspect and /oidc/revoke, or restrict these endpoints to trusted internal hosts only

Generated by OpenCVE AI on May 7, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9xx5-cv6j-x533 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation
History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9.
Title Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T12:46:28.521Z

Reserved: 2026-04-22T03:53:24.405Z

Link: CVE-2026-41671

cve-icon Vulnrichment

Updated: 2026-05-07T12:46:22.574Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:32.863

Modified: 2026-05-07T14:54:40.603

Link: CVE-2026-41671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:00:16Z

Weaknesses