CVE-2026-41670 Overview
CVE-2026-41670 is a high-severity input validation flaw in Admidio, an open-source user management application. The vulnerability resides in the Security Assertion Markup Language (SAML) Identity Provider (IdP) implementation within Admidio's Single Sign-On (SSO) module. Versions prior to 5.0.9 accept the AssertionConsumerServiceURL value from incoming SAML AuthnRequest messages without validating it against the registered Assertion Consumer Service (ACS) URL stored in the database. An attacker who knows a registered service provider Entity ID can redirect signed SAML responses, including user identity attributes, to an attacker-controlled endpoint. The issue is fixed in Admidio version 5.0.9.
Critical Impact
Attackers can exfiltrate signed SAML assertions containing login names, email addresses, roles, and profile fields by redirecting the IdP response to an arbitrary URL.
Affected Products
- Admidio versions prior to 5.0.9
- Admidio SSO module SAML IdP component
- Deployments using Admidio as a SAML Identity Provider for downstream service providers
Discovery Timeline
- 2026-05-07 - CVE-2026-41670 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41670
Vulnerability Analysis
Admidio acts as a SAML Identity Provider through its SSO module. When a service provider initiates authentication, it sends a SAML AuthnRequest containing an AssertionConsumerServiceURL element. This value tells the IdP where to deliver the signed SAML response after the user authenticates.
The vulnerable code path uses the AssertionConsumerServiceURL directly from the request as the response destination. The IdP does not compare the requested URL to the smc_acs_url value registered for that service provider client in the database. As a result, the trust boundary between registered ACS endpoints and request-supplied endpoints collapses.
After a victim authenticates, the IdP signs the SAML response containing identity attributes such as login name, email, roles, and profile fields. The signed response is then posted to the attacker-supplied URL. The attacker captures the assertion and can replay it against the legitimate service provider or harvest the disclosed user data. This weakness is classified under CWE-20 Improper Input Validation.
Root Cause
The root cause is missing server-side validation of the AssertionConsumerServiceURL field. The SAML 2.0 specification requires IdPs to verify that the requested ACS URL matches a value registered in service provider metadata. Admidio's implementation skipped this comparison against the stored smc_acs_url, trusting client-controlled input for response routing.
Attack Vector
Exploitation requires network access to the Admidio SAML endpoint and knowledge of a registered service provider Entity ID. The attacker crafts a SAML AuthnRequest that references a legitimate Entity ID but specifies an attacker-controlled AssertionConsumerServiceURL. The attacker then induces an authenticated user to follow the request, typically through a phishing link. Once the user authenticates, the IdP issues a signed SAML response and posts it to the attacker's URL, exposing identity attributes and a valid signed assertion.
No authentication is required to send the malicious AuthnRequest, but user interaction is required to complete the authentication flow at the IdP. See the GitHub Security Advisory GHSA-p9w9-87c8-m235 for additional technical details.
Detection Methods for CVE-2026-41670
Indicators of Compromise
- SAML AuthnRequest messages where AssertionConsumerServiceURL does not match the smc_acs_url registered for the supplied Entity ID
- Outbound HTTP POST requests from the Admidio host to domains not associated with any registered service provider
- Unexpected authentication events in Admidio logs originating from unfamiliar referrer URLs or IP ranges
- Spike in SAML SSO requests targeting a single Entity ID from non-corporate networks
Detection Strategies
- Parse Admidio web server logs for SAML SSO requests and compare the AssertionConsumerServiceURL parameter against the registered ACS URL list
- Implement application-layer logging that records both the requested ACS URL and the registered ACS URL for each SAML transaction
- Alert on SAML responses delivered to destinations outside an approved domain allowlist
Monitoring Recommendations
- Monitor egress traffic from the Admidio server for connections to unknown external hosts immediately following user authentication events
- Review access logs for repeated AuthnRequest submissions referencing the same Entity ID with varying ACS URLs
- Enable verbose SAML transaction logging and forward events to a centralized SIEM for correlation with identity activity
How to Mitigate CVE-2026-41670
Immediate Actions Required
- Upgrade Admidio to version 5.0.9 or later, which validates the AssertionConsumerServiceURL against the stored smc_acs_url
- Audit registered SAML service provider clients and remove unused or untrusted Entity IDs from the Admidio database
- Rotate any session tokens or credentials issued through the SSO module since exposure cannot be ruled out for prior transactions
- Notify federated service providers so they can review their authentication logs for suspicious assertions
Patch Information
The fix is included in Admidio 5.0.9. Refer to the GitHub Release v5.0.9 for download artifacts and the full changelog. The patched IdP now compares the request-supplied AssertionConsumerServiceURL against the smc_acs_url registered for the matching service provider client and rejects mismatches before issuing a signed response.
Workarounds
- Disable the SAML SSO module in Admidio until upgrading to 5.0.9 if patching cannot be completed immediately
- Restrict network access to the Admidio SAML endpoint to known service provider IP ranges using firewall or reverse proxy rules
- Apply a web application firewall rule that inspects SAML AuthnRequest payloads and blocks requests where AssertionConsumerServiceURL falls outside an approved domain allowlist
# Example reverse proxy allowlist for SAML ACS destinations
# nginx snippet restricting SAML SSO endpoint access
location /modules/sso/ {
allow 203.0.113.0/24; # trusted SP network
allow 198.51.100.10; # trusted SP host
deny all;
proxy_pass http://admidio_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
