CVE-2026-32812
Received Received - Intake
SSRF and Local File Read in Admidio SSO Metadata API

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32812
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
admidio admidio From 5.0.0 (inc) to 5.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-32812 is a vulnerability in Admidio versions 5.0.0 through 5.0.6 affecting the Single Sign-On (SSO) metadata fetch endpoint. This endpoint accepts a URL parameter that is only superficially validated using PHP's FILTER_VALIDATE_URL, which does not restrict dangerous URL schemes such as file://, http://, ftp://, data://, and php://. An authenticated administrator can exploit this by providing malicious URLs that the server fetches using file_get_contents() without further checks."}, {'type': 'paragraph', 'content': 'This leads to several security issues: reading arbitrary local files on the server (Local File Read), performing Server-Side Request Forgery (SSRF) to internal services or cloud metadata endpoints, and injecting arbitrary content via data URIs. The full response from the fetched URL is returned verbatim to the attacker, exposing sensitive data such as configuration files, credentials, private keys, and cloud instance metadata.'}] [1]


How can this vulnerability impact me? :

This vulnerability can have serious impacts including disclosure of sensitive local files and credentials, such as database configuration files and private keys. Attackers can gain access to cloud instance metadata, potentially stealing IAM role credentials and compromising cloud infrastructure.

It also allows internal network reconnaissance and lateral movement by making the server perform requests to internal services like Redis or admin panels. This can lead to a full compromise of the database and broader internal network, extending the impact beyond the application itself.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying attempts to exploit the SSO metadata fetch endpoint at modules/sso/fetch_metadata.php by sending requests with arbitrary URLs in the url parameter.'}, {'type': 'paragraph', 'content': 'You can monitor web server logs for suspicious requests containing URL schemes such as file://, http:// targeting internal IPs (e.g., 127.0.0.1, 169.254.169.254), ftp://, data://, or php:// in the url parameter.'}, {'type': 'paragraph', 'content': 'Example commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "Using grep to find suspicious URL parameters in access logs: grep -E 'url=(file://|http://127.0.0.1|http://169.254.169.254|ftp://|data://|php://)' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using curl to test if the vulnerable endpoint is accessible and responds to arbitrary URLs: curl -i 'https://your-admidio-site/modules/sso/fetch_metadata.php?url=file:///etc/passwd'"}, {'type': 'list_item', 'content': 'Checking for unexpected outbound HTTP requests from the server to internal IPs or cloud metadata endpoints using network monitoring tools or firewall logs.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Admidio to version 5.0.7 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, apply the following mitigations:

  • Restrict the URL schemes accepted by the SSO metadata fetch endpoint to only allow HTTPS URLs.
  • Validate URLs strictly and reject those that resolve to private or reserved IP address ranges to prevent SSRF and local file reads.
  • Replace the use of file_get_contents() with a cURL-based approach that restricts protocols to HTTPS only, disables redirects, and sets reasonable timeouts.
  • Implement hostname resolution and IP filtering to block requests to internal network addresses.
  • Add CORS header restrictions to limit cross-origin requests to trusted frontend URLs.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart