Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9.
Published: 2026-05-07
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Admidio’s fetch_metadata.php contains an incomplete SSRF fix that validates the resolved IP address but still passes the original hostname‑based URL to curl_init(). This leaves a DNS rebinding TOCTOU window that can redirect requests to internal IP addresses, allowing an attacker to reach internal network services that should not be exposed. The flaw enables a standard SSRF attack, potentially exposing internal resources or sensitive data dependent on the internal service exposed.

Affected Systems

The vulnerability affects Admidio versions prior to 5.0.9. Any installation running Admidio 5.0.8 or earlier is affected. Upgrading to version 5.0.9 or later resolves the issue.

Risk and Exploitability

The CVSS score is 6.8, signifying a medium severity. Exploit probability data (EPSS) is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is most likely remote if the web application is reachable from an external network, with the attacker using the fetch_metadata endpoint to cause requests to internal IPs. Attack success requires the target to have internal services exposed that the attacker can interact with one‑way. The impact is disclosure or limited interaction with internal resources rather than full control of the host.

Generated by OpenCVE AI on May 7, 2026 at 05:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Admidio to version 5.0.9 or later to eliminate the SSRF flaw.
  • Disable or remove the fetch_metadata.php endpoint if it is not required for your deployment.
  • Configure web server or firewall rules to block outbound requests from the application to internal IP ranges unless explicitly needed.

Generated by OpenCVE AI on May 7, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hcjj-chvw-fmw9 Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
History

Thu, 07 May 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9.
Title Incomplete fix for CVE-2026-32812: SSRF in admidio
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T03:01:04.830Z

Reserved: 2026-04-25T01:53:21.584Z

Link: CVE-2026-42194

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T04:16:34.053

Modified: 2026-05-07T04:16:34.053

Link: CVE-2026-42194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:45:15Z

Weaknesses