CVE-2026-32812 Overview
CVE-2026-32812 is a Server-Side Request Forgery (SSRF) vulnerability in Admidio, an open-source user management solution. The vulnerability exists in the SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php, which accepts an arbitrary URL via the $_GET['url'] parameter and validates it only with PHP's FILTER_VALIDATE_URL before passing it directly to file_get_contents(). This insufficient validation allows authenticated administrators to read arbitrary local files, reach internal services, or fetch cloud instance metadata.
Critical Impact
Authenticated administrators can exploit this SSRF vulnerability to read sensitive local files via the file:// wrapper, access internal network services via http://, or retrieve cloud instance metadata, potentially exposing secrets, credentials, and internal infrastructure details.
Affected Products
- Admidio versions 5.0.0 through 5.0.6
Discovery Timeline
- 2026-03-20 - CVE-2026-32812 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32812
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The SSO Metadata API endpoint accepts user-controlled URLs and fetches their content server-side without proper scheme validation. While the endpoint uses PHP's FILTER_VALIDATE_URL for validation, this function accepts multiple URI schemes including file://, http://, ftp://, data://, and php://. The full response body is returned verbatim to the caller, enabling data exfiltration.
The vulnerability requires administrator-level authentication to exploit, which limits the attack surface but still poses significant risk in scenarios involving compromised admin accounts, insider threats, or privilege escalation chains.
Root Cause
The root cause is inadequate URL scheme validation in the fetch_metadata.php endpoint. PHP's FILTER_VALIDATE_URL function is designed to validate URL syntax rather than restrict URL schemes to safe values. The endpoint directly passes user-controlled URLs to file_get_contents() without implementing a URL scheme allowlist, enabling attackers to specify dangerous protocols that can access local filesystem resources or internal network services.
Attack Vector
The attack is network-based and requires the attacker to have authenticated access as an administrator. The exploitation flow involves:
- An authenticated administrator sends a request to modules/sso/fetch_metadata.php with a malicious URL parameter
- The URL passes the permissive FILTER_VALIDATE_URL check despite containing dangerous schemes
- The file_get_contents() function processes the URL, fetching content from local files or internal services
- The full response body is returned to the attacker
For local file read attacks, an attacker could use URLs like file:///etc/passwd or file:///var/www/admidio/config.php to access sensitive system and application configuration files. For internal service access, URLs targeting internal IP addresses or cloud metadata endpoints (such as http://169.254.169.254/latest/meta-data/) could expose infrastructure secrets and credentials.
Detection Methods for CVE-2026-32812
Indicators of Compromise
- HTTP requests to modules/sso/fetch_metadata.php containing file://, ftp://, data://, or php:// schemes in the URL parameter
- Requests targeting internal IP addresses (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x, 127.0.0.1) in the metadata fetch endpoint
- Access attempts to cloud metadata endpoints (e.g., 169.254.169.254) from the Admidio server
- Unusual file access patterns from the web server process to sensitive configuration files
Detection Strategies
- Monitor web server logs for requests to fetch_metadata.php with suspicious URL parameters containing local file schemes or internal network addresses
- Implement web application firewall (WAF) rules to block requests containing dangerous URI schemes (file://, php://, data://) in query parameters
- Deploy network monitoring to detect unexpected outbound connections from the Admidio server to internal services or cloud metadata endpoints
Monitoring Recommendations
- Enable detailed logging for all SSO-related endpoints in Admidio
- Configure alerts for administrator account activity, particularly requests to sensitive API endpoints
- Monitor for anomalous file system access from the web server process
- Implement egress filtering and monitor for connections to cloud metadata IP ranges
How to Mitigate CVE-2026-32812
Immediate Actions Required
- Upgrade Admidio to version 5.0.7 or later immediately
- Review administrator account access and audit recent activity for signs of exploitation
- If immediate upgrade is not possible, consider temporarily disabling the SSO metadata fetch functionality
- Audit server logs for any previous exploitation attempts
Patch Information
The vulnerability has been fixed in Admidio version 5.0.7. The fix is available via GitHub Release v5.0.7. The specific commit addressing this vulnerability is available at the GitHub Commit Details. For additional details, see the GitHub Security Advisory GHSA-6j68-gcc3-mq73.
Workarounds
- Restrict access to the modules/sso/fetch_metadata.php endpoint at the web server level until patching is complete
- Implement WAF rules to block requests containing dangerous URI schemes in the URL parameter
- Limit network egress from the Admidio server to only required external services
- Audit and minimize the number of administrator accounts with access to SSO configuration features
# Example Apache .htaccess rule to block access to the vulnerable endpoint
<Files "fetch_metadata.php">
Require all denied
</Files>
# Example nginx configuration to block the vulnerable endpoint
location ~ /modules/sso/fetch_metadata\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
