{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/admidio/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["medium"],"_cs_tags":["saml","signature-bypass","authentication","authorization","web-application"],"_cs_type":"advisory","_cs_vendors":["admidio"],"content_html":"\u003cp\u003eAdmidio, a free web-based content management system for organizations and groups, contains a critical vulnerability in its SAML Single Sign-On (SSO) implementation. The \u003ccode\u003evalidateSignature()\u003c/code\u003e method within the SAMLService class returns error strings upon signature validation failure, rather than throwing exceptions. The calling functions, \u003ccode\u003ehandleSSORequest()\u003c/code\u003e and \u003ccode\u003ehandleSLORequest()\u003c/code\u003e, incorrectly assume that the method throws an exception, and therefore, do not check the return value. This oversight renders the \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e configuration option ineffective, allowing attackers to forge SAML AuthnRequests and LogoutRequests. An attacker can exploit this vulnerability to obtain sensitive user information or cause denial of service by terminating user sessions. This affects Admidio versions 5.0.8 and earlier and requires SAML SSO to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SAML AuthnRequest or LogoutRequest without a valid signature, impersonating a legitimate Service Provider (SP).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the forged SAML request to the Admidio instance via HTTP GET or POST to \u003ccode\u003emodules/sso/index.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereceiveMessage()\u003c/code\u003e function parses the SAML binding directly from the HTTP request, requiring no prior authentication.\u003c/li\u003e\n\u003cli\u003eThe Entity ID is extracted from the forged request\u0026rsquo;s Issuer element, and the corresponding client configuration is loaded.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateSignature()\u003c/code\u003e function is called, but its return value (indicating signature validity) is discarded.\u003c/li\u003e\n\u003cli\u003eFor AuthnRequests, if the targeted user has an active session (\u003ccode\u003e$gValidLogin\u003c/code\u003e is true), the login form is skipped.\u003c/li\u003e\n\u003cli\u003eAdmidio builds a SAML Response containing the user\u0026rsquo;s attributes (login, name, email, roles) and sends it to the attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor LogoutRequests, the user\u0026rsquo;s session is immediately terminated in the database, triggering a cascading single logout across all registered SPs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical impacts. The primary impact is the complete bypass of signature enforcement, negating the security benefits of the \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e setting. This can lead to the disclosure of sensitive user attributes, including login name, email, and role memberships, to unauthorized parties by forging SSO requests and redirecting them to attacker-controlled endpoints. Furthermore, attackers can terminate any user\u0026rsquo;s Admidio session by forging SLO requests, potentially causing a denial-of-service condition. This vulnerability affects all Admidio instances with SAML SSO enabled and can potentially impact all users of the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix in the Admidio codebase to check the return value of \u003ccode\u003evalidateSignature()\u003c/code\u003e and throw an exception on failure, as outlined in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-25cw-98hg-g3cg)\"\u003ehttps://github.com/advisories/GHSA-25cw-98hg-g3cg)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Admidio Forged SAML AuthnRequest Detection\u0026rdquo; to detect potentially malicious SAML AuthnRequests lacking a valid signature via webserver logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Admidio Forged SAML LogoutRequest Detection\u0026rdquo; to detect potentially malicious SAML LogoutRequests lacking a valid signature via webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/adm_program/modules/sso/index.php/saml/sso\u003c/code\u003e and \u003ccode\u003e/adm_program/modules/sso/index.php/saml/slo\u003c/code\u003e without proper signature validation to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Admidio to address CVE-2026-41669.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:56:13Z","date_published":"2026-04-29T21:56:13Z","id":"/briefs/2026-04-admidio-saml-bypass/","summary":"Admidio's SAML Identity Provider implementation fails to properly validate signatures on SAML AuthnRequests and LogoutRequests, enabling attackers to bypass signature enforcement, potentially disclose user attributes via forged SSO requests, and terminate user sessions via forged SLO requests.","title":"Admidio SAML Signature Validation Bypass Allows Forged AuthnRequests and LogoutRequests","url":"https://feed.craftedsignal.io/briefs/2026-04-admidio-saml-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["medium"],"_cs_tags":["saml","sso","acs-bypass","admidio","cve-2026-41670"],"_cs_type":"advisory","_cs_vendors":["admidio"],"content_html":"\u003cp\u003eA vulnerability exists in Admidio\u0026rsquo;s SAML IdP implementation within the SSO module (versions 5.0.8 and earlier) that allows for bypassing Assertion Consumer Service (ACS) URL validation. The IdP uses the \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e value directly from incoming SAML AuthnRequest messages as the destination for the SAML response without verifying it against the registered \u003ccode\u003esmc_acs_url\u003c/code\u003e for the corresponding service provider client. An attacker can exploit this by crafting a SAML AuthnRequest with the Entity ID of a registered SP client and an attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e. This causes the IdP to send the signed SAML response, containing sensitive user identity attributes (login name, email, roles, profile fields), to a URL controlled by the attacker. The default configuration does not require signed AuthnRequests, simplifying exploitation to only needing the SP\u0026rsquo;s Entity ID.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the Entity ID of a registered SAML service provider (SP) client within the Admidio IdP. This is often publicly available from the SP\u0026rsquo;s metadata endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SAML AuthnRequest. The AuthnRequest includes the legitimate SP Entity ID as the Issuer, but sets the \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e to a URL controlled by the attacker (e.g., \u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SAML AuthnRequest to Admidio\u0026rsquo;s SSO endpoint (\u003ccode\u003e/modules/sso/index.php/saml/sso\u003c/code\u003e) using the HTTP-POST binding, typically by tricking a logged-in user into accessing a webpage containing an auto-submitting form.\u003c/li\u003e\n\u003cli\u003eAdmidio\u0026rsquo;s SSO module receives the AuthnRequest. If signature validation is not enforced for the SP, the request proceeds without signature verification.\u003c/li\u003e\n\u003cli\u003eIf the user is already authenticated with the Admidio IdP, the IdP generates a signed SAML response containing the user\u0026rsquo;s identity and attributes. The destination of the SAML response is set to the attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e taken directly from the AuthnRequest.\u003c/li\u003e\n\u003cli\u003eAdmidio renders an auto-submitting HTML form in the victim\u0026rsquo;s browser, which POSTs the signed SAML response to the attacker\u0026rsquo;s URL (\u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server receives the SAML response, extracting the user\u0026rsquo;s login name, email, full name, roles, and any other profile fields included in the assertion.\u003c/li\u003e\n\u003cli\u003eThe attacker replays the stolen SAML assertion to the legitimate SP to authenticate as the victim, gaining unauthorized access to the SP application and its resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to steal user identities and impersonate victims on legitimate service provider applications. This leads to unauthorized access to user accounts and potential access to sensitive data and resources within those applications. The scope change enables impersonation across separate service provider applications. The vulnerability is exploitable without requiring knowledge of cryptographic keys if \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e is not enabled, making it easier to exploit. All versions of Admidio up to and including 5.0.8 are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch described in GHSA-p9w9-87c8-m235 by upgrading to a version of Admidio greater than 5.0.8.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, enable \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e and \u003ccode\u003esmc_validate_signatures\u003c/code\u003e for all SAML clients to enforce signature validation, mitigating attacks from unauthenticated sources.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the Admidio SSO endpoint (\u003ccode\u003e/modules/sso/index.php/saml/sso\u003c/code\u003e) with suspicious \u003ccode\u003eSAMLRequest\u003c/code\u003e parameters containing attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e values, which can be detected using the \u0026ldquo;Admidio SAML AuthnRequest ACS URL Override\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to attacker-controlled URLs, such as \u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e, which may indicate successful exploitation and the exfiltration of SAML responses as listed in the IOC table.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-admidio-saml-acs-bypass/","summary":"Admidio's SAML IdP implementation in its SSO module is vulnerable to sending SAML responses to unvalidated Assertion Consumer Service URLs, allowing an attacker to craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response, containing user identity attributes, to an attacker-controlled URL, enabling impersonation of the victim user on the legitimate SP by replaying the SAML assertion.","title":"Admidio SAML Assertion Consumer Service (ACS) URL Validation Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-29-admidio-saml-acs-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["high"],"_cs_tags":["2fa","bypass","privilege-escalation","admidio"],"_cs_type":"advisory","_cs_vendors":["composer","admidio"],"content_html":"\u003cp\u003eAdmidio, a web-based content management system for organizations, contains a critical vulnerability in its two-factor authentication (2FA) reset mechanism. The vulnerability, present in versions 5.0.8 and earlier, stems from an inverted authorization check within the \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e script. This flaw enables non-administrative users, specifically group leaders with profile edit rights, to disable 2FA for other users, including administrator accounts. The vulnerability was reported on April 29, 2026. By exploiting this flaw, attackers can bypass 2FA, gaining unauthorized access to privileged accounts and potentially compromising the entire Admidio installation. This highlights the importance of rigorous security audits and proper authorization checks in web applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or gains access to a non-admin user account within Admidio that possesses \u003ccode\u003ehasRightEditProfile()\u003c/code\u003e permission over an administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003e/adm_program/modules/profile/two_factor_authentication.php\u003c/code\u003e with the \u003ccode\u003emode\u003c/code\u003e parameter set to \u003ccode\u003ereset\u003c/code\u003e and the \u003ccode\u003euser_uuid\u003c/code\u003e parameter set to the UUID of the target administrator account.\u003c/li\u003e\n\u003cli\u003eThe server-side script \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e executes the flawed authorization check at line 84. Due to the inverted logic (\u003ccode\u003e!==\u003c/code\u003e instead of \u003ccode\u003e===\u003c/code\u003e), the check incorrectly grants permission to the non-admin user to reset the administrator\u0026rsquo;s 2FA.\u003c/li\u003e\n\u003cli\u003eThe server removes the TOTP configuration associated with the administrator\u0026rsquo;s account from the database or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker can now attempt to log in to the administrator account using only the password, bypassing the 2FA requirement.\u003c/li\u003e\n\u003cli\u003eIf the attacker knows or can guess the administrator\u0026rsquo;s password (via credential stuffing, brute force, or other means), they successfully gain access to the account.\u003c/li\u003e\n\u003cli\u003eWith administrator privileges, the attacker can perform a variety of malicious actions, such as creating new accounts, modifying website content, or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows attackers to bypass two-factor authentication on administrator accounts in Admidio installations. This can lead to unauthorized access to sensitive data, modification of website content, and potentially full control over the affected system. While the number of affected installations is unknown, organizations using vulnerable versions of Admidio are at risk. Success of the attack results in complete compromise of the Admidio instance and the data it manages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by changing \u003ccode\u003e!==\u003c/code\u003e to \u003ccode\u003e===\u003c/code\u003e on line 84 of \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e to correct the authorization logic (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Admidio 2FA Reset Request\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring HTTP POST requests to the vulnerable endpoint (see Rules).\u003c/li\u003e\n\u003cli\u003eUpgrade Admidio to a patched version that incorporates the fix for CVE-2026-41660.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-admidio-2fa-bypass/","summary":"A logic error in Admidio's two-factor authentication reset inverts the authorization check, allowing non-admin users to remove other users' TOTP, including administrators, reducing their security to password-only authentication in versions 5.0.8 and earlier.","title":"Admidio Inverted 2FA Reset Allows Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-admidio-2fa-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Admidio","version":"https://jsonfeed.org/version/1.1"}