CVE-2026-41671
BaseFortify
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | to 5.0.9 (exc) |
| admidio | admidio | 5.0.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-41671 affects Admidio versions 5.0.8 and earlier in the OpenID Connect (OIDC) token introspection and revocation endpoints.
The introspection endpoint always returns {"active": true} for any token submitted, regardless of whether the token is valid, expired, revoked, or fabricated. This happens because the endpoint does not authenticate the calling resource server nor validate the token.
As a result, any resource server relying on this endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass.
Additionally, the token revocation endpoint returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials.
This flaw allows attackers to use any arbitrary token to gain unauthorized access and prevents the invalidation of stolen tokens until they naturally expire.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to systems using Admidio's OIDC integration because any token, valid or not, is accepted as authorized.
Attackers can bypass authentication completely, gaining access to protected resources without valid credentials.
Furthermore, compromised tokens cannot be revoked, meaning stolen credentials remain usable until they expire naturally, increasing the risk of prolonged unauthorized access.
The overall impact is a compromise of system integrity and potential exposure of sensitive data or functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the OIDC token introspection endpoint at `/modules/sso/index.php/oidc/introspect` to see if it always returns `{"active": true}` regardless of the token submitted.
A simple detection method is to send arbitrary or invalid Bearer tokens to the introspection endpoint and observe the response.
- Use curl to send a request with an invalid token: curl -X POST -H "Authorization: Bearer invalidtoken" https://<admidio-server>/modules/sso/index.php/oidc/introspect
- If the response is always {"active": true}, the system is vulnerable.
Similarly, testing the revocation endpoint `/oidc/revoke` by sending a token revocation request and checking if the response returns {"revoked": true} without actual revocation can help detect the issue.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Admidio to version 5.0.9 or later, where this vulnerability has been patched.
This update fixes the introspection and revocation endpoints by properly authenticating resource servers, validating tokens against the database, checking expiry and revocation status, and returning accurate responses according to RFC standards.
Until the upgrade can be applied, avoid relying on the vulnerable introspection endpoint for token validation and consider additional access controls or monitoring to detect unauthorized access.