Executive Summary

CVE-2026-41670 is a vulnerability in Admidio's SAML Identity Provider (IdP) implementation prior to version 5.0.9. The issue arises because the IdP uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages without validating it against the registered ACS URL stored in the database for the corresponding service provider (SP).

An attacker who knows the Entity ID of a registered SP client can craft a malicious AuthnRequest with an arbitrary AssertionConsumerServiceURL. This causes the IdP to send the signed SAML response, which contains sensitive user identity attributes such as login name, email, roles, and profile fields, to an attacker-controlled URL.

This vulnerability is due to improper input validation and URL redirection to an untrusted site, allowing attackers to intercept sensitive identity data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to serious security impacts including user identity theft and information disclosure.

An attacker can intercept signed SAML responses containing sensitive user attributes by redirecting them to an attacker-controlled URL.

This can allow the attacker to impersonate the victim on the legitimate service provider, resulting in unauthorized access and potential misuse of the victim's identity.

The vulnerability has a high CVSS score of 8.2, indicating a high severity with network attack vector and high confidentiality impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the SAML Identity Provider (IdP) in Admidio accepting and using an unvalidated AssertionConsumerServiceURL from incoming SAML AuthnRequest messages. Detection would involve monitoring SAML AuthnRequest traffic to identify requests where the AssertionConsumerServiceURL does not match the registered ACS URL for the service provider.

You can inspect network traffic or logs for suspicious SAML AuthnRequest messages with unexpected or attacker-controlled AssertionConsumerServiceURL values.

Suggested commands might include using tools like tcpdump or tshark to capture SAML traffic and grep or jq to filter for AssertionConsumerServiceURL fields that differ from known registered URLs.

• Capture SAML traffic on the network interface: tcpdump -i <interface> -w saml_traffic.pcap port 443
• Analyze captured traffic for AssertionConsumerServiceURL values: tshark -r saml_traffic.pcap -Y 'saml2.AuthnRequest' -T fields -e saml2.AssertionConsumerServiceURL
• Compare extracted URLs against the registered ACS URLs stored in your Admidio database.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Admidio to version 5.0.9 or later, where this vulnerability has been patched.

Until the upgrade can be performed, you should ensure that the SAML IdP implementation validates the AssertionConsumerServiceURL from incoming AuthnRequest messages against the registered ACS URL for the service provider.

Additionally, review your SAML configuration to enforce signature validation on AuthnRequests if it is not already enabled, as this adds a layer of defense.

Monitor logs and network traffic for suspicious AuthnRequests with unexpected ACS URLs to detect potential exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to steal sensitive user identity data such as login name, email, roles, and profile fields by redirecting SAML responses to an attacker-controlled URL.

Such unauthorized disclosure of personal and identity information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and integrity of personal data.

By enabling attackers to impersonate users and access sensitive attributes, the vulnerability undermines compliance with these standards' requirements for secure authentication and data handling.

Useful 0 Not Useful 0