CVE-2026-41669
Deferred Deferred - Pending Action
SAML Signature Validation Bypass in Admidio

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective β€” unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-05-18
AI Q&A
2026-05-07
EPSS Evaluated
2026-05-11
NVD
CVE-2026-41669
EUVD
EUVD-2026-28279
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
admidio admidio to 5.0.9 (exc)
admidio admidio 5.0.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability arises because the Admidio SAML Identity Provider implementation prior to version 5.0.9 ignores the return value of its validateSignature() method, allowing unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests to be processed. Detection involves identifying whether your Admidio installation is version 5.0.8 or earlier and whether the smc_require_auth_signed configuration option is enabled but ineffective.

To detect exploitation attempts on your network, you can monitor SAML AuthnRequests and LogoutRequests for missing or invalid signatures. Network traffic analysis tools like Wireshark or tcpdump can be used to capture SAML messages.

  • Use tcpdump to capture HTTP POST requests to the SAML endpoints: tcpdump -i <interface> -A 'tcp port 80 or 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'SAMLRequest'
  • Use grep or similar tools on server logs to find SAML AuthnRequests or LogoutRequests that lack valid signatures or contain suspicious parameters.

Additionally, verifying the Admidio version installed on your system can be done via command line by checking the version file or running the application with a version flag if available.

  • Check Admidio version: grep 'version' /path/to/admidio/version or check the changelog files.

Since the vulnerability is fixed in version 5.0.9, upgrading to this version is the recommended mitigation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows attackers to bypass SAML signature validation, enabling them to forge authentication and logout requests. This can lead to unauthorized access to sensitive user data such as login names, emails, and roles, as well as denial of service by forcing user logouts.

Such unauthorized access and manipulation of user authentication processes can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and ensuring secure authentication mechanisms.

By allowing attackers to intercept or forge SAML assertions containing sensitive user data, the vulnerability increases the risk of data breaches and unauthorized data disclosure, which are critical compliance concerns under these regulations.


Can you explain this vulnerability to me?

CVE-2026-41669 is a vulnerability in Admidio's SAML Identity Provider implementation prior to version 5.0.9. The issue arises because the validateSignature() method returns error strings on failure but these return values are discarded instead of being checked. The developer mistakenly believed exceptions would be thrown. As a result, the smc_require_auth_signed configuration option is ineffective, allowing unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests to be processed as if they were valid.


How can this vulnerability impact me? :

This vulnerability allows attackers to bypass SAML signature validation, enabling two main attack scenarios:

  • Attackers can trick logged-in users into sending their SAML assertions, which contain sensitive user data such as login names, emails, and roles, to attacker-controlled endpoints.
  • Attackers can forge LogoutRequests to terminate user sessions and trigger cascading single logout across all registered Service Providers, causing denial of service.

The vulnerability has a high severity CVSS score of 8.2 due to its network-based attack vector, low complexity, no required privileges, and no user interaction, with a high impact on integrity.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Admidio to version 5.0.9 or later, where the issue has been patched.

This update properly handles the return value of the validateSignature() method, ensuring that unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are rejected as intended.

Until the upgrade is applied, the smc_require_auth_signed configuration option is ineffective and cannot be relied upon to enforce signature validation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart