{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41670/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["medium"],"_cs_tags":["saml","sso","acs-bypass","admidio","cve-2026-41670"],"_cs_type":"advisory","_cs_vendors":["admidio"],"content_html":"\u003cp\u003eA vulnerability exists in Admidio\u0026rsquo;s SAML IdP implementation within the SSO module (versions 5.0.8 and earlier) that allows for bypassing Assertion Consumer Service (ACS) URL validation. The IdP uses the \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e value directly from incoming SAML AuthnRequest messages as the destination for the SAML response without verifying it against the registered \u003ccode\u003esmc_acs_url\u003c/code\u003e for the corresponding service provider client. An attacker can exploit this by crafting a SAML AuthnRequest with the Entity ID of a registered SP client and an attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e. This causes the IdP to send the signed SAML response, containing sensitive user identity attributes (login name, email, roles, profile fields), to a URL controlled by the attacker. The default configuration does not require signed AuthnRequests, simplifying exploitation to only needing the SP\u0026rsquo;s Entity ID.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the Entity ID of a registered SAML service provider (SP) client within the Admidio IdP. This is often publicly available from the SP\u0026rsquo;s metadata endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SAML AuthnRequest. The AuthnRequest includes the legitimate SP Entity ID as the Issuer, but sets the \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e to a URL controlled by the attacker (e.g., \u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SAML AuthnRequest to Admidio\u0026rsquo;s SSO endpoint (\u003ccode\u003e/modules/sso/index.php/saml/sso\u003c/code\u003e) using the HTTP-POST binding, typically by tricking a logged-in user into accessing a webpage containing an auto-submitting form.\u003c/li\u003e\n\u003cli\u003eAdmidio\u0026rsquo;s SSO module receives the AuthnRequest. If signature validation is not enforced for the SP, the request proceeds without signature verification.\u003c/li\u003e\n\u003cli\u003eIf the user is already authenticated with the Admidio IdP, the IdP generates a signed SAML response containing the user\u0026rsquo;s identity and attributes. The destination of the SAML response is set to the attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e taken directly from the AuthnRequest.\u003c/li\u003e\n\u003cli\u003eAdmidio renders an auto-submitting HTML form in the victim\u0026rsquo;s browser, which POSTs the signed SAML response to the attacker\u0026rsquo;s URL (\u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server receives the SAML response, extracting the user\u0026rsquo;s login name, email, full name, roles, and any other profile fields included in the assertion.\u003c/li\u003e\n\u003cli\u003eThe attacker replays the stolen SAML assertion to the legitimate SP to authenticate as the victim, gaining unauthorized access to the SP application and its resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to steal user identities and impersonate victims on legitimate service provider applications. This leads to unauthorized access to user accounts and potential access to sensitive data and resources within those applications. The scope change enables impersonation across separate service provider applications. The vulnerability is exploitable without requiring knowledge of cryptographic keys if \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e is not enabled, making it easier to exploit. All versions of Admidio up to and including 5.0.8 are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch described in GHSA-p9w9-87c8-m235 by upgrading to a version of Admidio greater than 5.0.8.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, enable \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e and \u003ccode\u003esmc_validate_signatures\u003c/code\u003e for all SAML clients to enforce signature validation, mitigating attacks from unauthenticated sources.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the Admidio SSO endpoint (\u003ccode\u003e/modules/sso/index.php/saml/sso\u003c/code\u003e) with suspicious \u003ccode\u003eSAMLRequest\u003c/code\u003e parameters containing attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e values, which can be detected using the \u0026ldquo;Admidio SAML AuthnRequest ACS URL Override\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to attacker-controlled URLs, such as \u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e, which may indicate successful exploitation and the exfiltration of SAML responses as listed in the IOC table.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-admidio-saml-acs-bypass/","summary":"Admidio's SAML IdP implementation in its SSO module is vulnerable to sending SAML responses to unvalidated Assertion Consumer Service URLs, allowing an attacker to craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response, containing user identity attributes, to an attacker-controlled URL, enabling impersonation of the victim user on the legitimate SP by replaying the SAML assertion.","title":"Admidio SAML Assertion Consumer Service (ACS) URL Validation Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-29-admidio-saml-acs-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41670","version":"https://jsonfeed.org/version/1.1"}