Compliance Impact

The vulnerability in Admidio's OIDC token introspection and revocation endpoints allows unauthorized access by accepting any token as valid and failing to revoke compromised tokens. This authentication bypass can lead to unauthorized access to protected systems and data.

Such unauthorized access and inability to properly invalidate compromised credentials can undermine compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive personal and health information.

Specifically, failure to properly validate tokens and revoke compromised credentials increases the risk of data breaches and unauthorized data processing, potentially violating requirements for data security, integrity, and confidentiality mandated by these regulations.

Useful 0 Not Useful 0

Executive Summary

The vulnerability CVE-2026-41671 affects Admidio versions 5.0.8 and earlier in the OpenID Connect (OIDC) token introspection and revocation endpoints.

The introspection endpoint always returns {"active": true} for any token submitted, regardless of whether the token is valid, expired, revoked, or fabricated. This happens because the endpoint does not authenticate the calling resource server nor validate the token.

As a result, any resource server relying on this endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass.

Additionally, the token revocation endpoint returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials.

This flaw allows attackers to use any arbitrary token to gain unauthorized access and prevents the invalidation of stolen tokens until they naturally expire.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to systems using Admidio's OIDC integration because any token, valid or not, is accepted as authorized.

Attackers can bypass authentication completely, gaining access to protected resources without valid credentials.

Furthermore, compromised tokens cannot be revoked, meaning stolen credentials remain usable until they expire naturally, increasing the risk of prolonged unauthorized access.

The overall impact is a compromise of system integrity and potential exposure of sensitive data or functionality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the OIDC token introspection endpoint at `/modules/sso/index.php/oidc/introspect` to see if it always returns `{"active": true}` regardless of the token submitted.

A simple detection method is to send arbitrary or invalid Bearer tokens to the introspection endpoint and observe the response.

• Use curl to send a request with an invalid token: curl -X POST -H "Authorization: Bearer invalidtoken" https://<admidio-server>/modules/sso/index.php/oidc/introspect
• If the response is always {"active": true}, the system is vulnerable.

Similarly, testing the revocation endpoint `/oidc/revoke` by sending a token revocation request and checking if the response returns {"revoked": true} without actual revocation can help detect the issue.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Admidio to version 5.0.9 or later, where this vulnerability has been patched.

This update fixes the introspection and revocation endpoints by properly authenticating resource servers, validating tokens against the database, checking expiry and revocation status, and returning accurate responses according to RFC standards.

Until the upgrade can be applied, avoid relying on the vulnerable introspection endpoint for token validation and consider additional access controls or monitoring to detect unauthorized access.

Useful 0 Not Useful 0