CVE-2026-41670
SAML Response Redirect in Admidio SSO Module
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | to 5.0.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41670 is a vulnerability in Admidio's SAML Identity Provider (IdP) implementation prior to version 5.0.9. The issue arises because the IdP uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages without validating it against the registered ACS URL stored in the database for the corresponding service provider (SP).
An attacker who knows the Entity ID of a registered SP client can craft a malicious AuthnRequest with an arbitrary AssertionConsumerServiceURL. This causes the IdP to send the signed SAML response, which contains sensitive user identity attributes such as login name, email, roles, and profile fields, to an attacker-controlled URL.
This vulnerability is due to improper input validation and URL redirection to an untrusted site, allowing attackers to intercept sensitive identity data.
How can this vulnerability impact me? :
This vulnerability can lead to serious security impacts including user identity theft and information disclosure.
An attacker can intercept signed SAML responses containing sensitive user attributes by redirecting them to an attacker-controlled URL.
This can allow the attacker to impersonate the victim on the legitimate service provider, resulting in unauthorized access and potential misuse of the victim's identity.
The vulnerability has a high CVSS score of 8.2, indicating a high severity with network attack vector and high confidentiality impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the SAML Identity Provider (IdP) in Admidio accepting and using an unvalidated AssertionConsumerServiceURL from incoming SAML AuthnRequest messages. Detection would involve monitoring SAML AuthnRequest traffic to identify requests where the AssertionConsumerServiceURL does not match the registered ACS URL for the service provider.
You can inspect network traffic or logs for suspicious SAML AuthnRequest messages with unexpected or attacker-controlled AssertionConsumerServiceURL values.
Suggested commands might include using tools like tcpdump or tshark to capture SAML traffic and grep or jq to filter for AssertionConsumerServiceURL fields that differ from known registered URLs.
- Capture SAML traffic on the network interface: tcpdump -i <interface> -w saml_traffic.pcap port 443
- Analyze captured traffic for AssertionConsumerServiceURL values: tshark -r saml_traffic.pcap -Y 'saml2.AuthnRequest' -T fields -e saml2.AssertionConsumerServiceURL
- Compare extracted URLs against the registered ACS URLs stored in your Admidio database.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Admidio to version 5.0.9 or later, where this vulnerability has been patched.
Until the upgrade can be performed, you should ensure that the SAML IdP implementation validates the AssertionConsumerServiceURL from incoming AuthnRequest messages against the registered ACS URL for the service provider.
Additionally, review your SAML configuration to enforce signature validation on AuthnRequests if it is not already enabled, as this adds a layer of defense.
Monitor logs and network traffic for suspicious AuthnRequests with unexpected ACS URLs to detect potential exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to steal sensitive user identity data such as login name, email, roles, and profile fields by redirecting SAML responses to an attacker-controlled URL.
Such unauthorized disclosure of personal and identity information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and integrity of personal data.
By enabling attackers to impersonate users and access sensitive attributes, the vulnerability undermines compliance with these standards' requirements for secure authentication and data handling.