CVE-2026-42194 Overview
CVE-2026-42194 is a Server-Side Request Forgery (SSRF) vulnerability in Admidio, an open-source user management solution. The flaw exists in fetch_metadata.php prior to version 5.0.9. An incomplete SSRF fix validates the resolved IP address but then passes the original hostname-based URL to curl_init(). This gap creates a DNS rebinding Time-of-Check Time-of-Use (TOCTOU) window. Authenticated attackers with high privileges can redirect outbound requests to internal IP addresses. The issue is tracked under [CWE-918] and patched in Admidio 5.0.9.
Critical Impact
Successful exploitation allows attackers to bypass SSRF protections and reach internal network resources, exposing confidential data on adjacent systems.
Affected Products
- Admidio versions prior to 5.0.9
- Admidio fetch_metadata.php component
- Self-hosted Admidio installations exposed to authenticated users
Discovery Timeline
- 2026-05-07 - CVE-2026-42194 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-42194
Vulnerability Analysis
The vulnerability resides in Admidio's metadata fetching logic in fetch_metadata.php. The application attempts to prevent SSRF by resolving a user-supplied URL's hostname and validating that the resulting IP address is not internal. After validation, the code passes the original hostname-based URL — not the validated IP — to curl_init(). Because curl performs its own DNS resolution at request time, an attacker-controlled DNS server can return a public IP during validation and an internal IP during the actual fetch. This race condition between check and use defines a classic TOCTOU pattern applied to DNS resolution, commonly called DNS rebinding.
Root Cause
The root cause is incomplete SSRF mitigation. The validation step and the request execution step rely on independent DNS lookups. The fix in Admidio 5.0.9 closes the window by ensuring the validated IP is the address actually contacted, rather than re-resolving the hostname during the HTTP request.
Attack Vector
An authenticated attacker hosts a domain backed by a DNS server returning short-TTL responses. The attacker submits a URL referencing that domain to the metadata fetch endpoint. The first DNS query returns a benign public IP, passing the SSRF allow-list check. The second query, issued by curl, returns an internal IP such as 127.0.0.1 or a cloud metadata address like 169.254.169.254. Admidio then issues the HTTP request against the internal target and returns response data to the attacker.
No verified exploit code is published. Refer to the GitHub Security Advisory GHSA-hcjj-chvw-fmw9 for additional technical context.
Detection Methods for CVE-2026-42194
Indicators of Compromise
- Outbound HTTP requests from the Admidio web server to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or link-local 169.254.0.0/16.
- Repeated DNS queries from the Admidio host to the same external domain with very low TTL values.
- Unexpected entries in fetch_metadata.php access logs referencing attacker-controlled hostnames.
Detection Strategies
- Inspect web server and PHP-FPM logs for invocations of fetch_metadata.php followed by internal-bound curl requests.
- Correlate DNS resolver logs with subsequent egress traffic from the application server to identify rebinding patterns.
- Alert on any successful HTTP responses retrieved by Admidio from cloud metadata endpoints.
Monitoring Recommendations
- Forward web, DNS, and egress firewall logs to a centralized analytics platform for correlation.
- Track authenticated user actions that trigger metadata fetches and baseline expected destinations.
- Monitor for short-TTL DNS responses originating from untrusted domains during application-driven lookups.
How to Mitigate CVE-2026-42194
Immediate Actions Required
- Upgrade Admidio to version 5.0.9 or later, where the SSRF fix resolves the hostname once and reuses the validated IP.
- Restrict access to authenticated administrative roles able to invoke fetch_metadata.php until patching completes.
- Block egress traffic from the Admidio host to internal management ranges and cloud metadata endpoints.
Patch Information
The vendor released the fix in Admidio 5.0.9. Review the Admidio 5.0.9 Release Notes and the GitHub Security Advisory GHSA-hcjj-chvw-fmw9 for full remediation details.
Workarounds
- Place Admidio behind an egress proxy that enforces destination allow-lists at the network layer.
- Configure host firewall rules to deny outbound connections to RFC1918 and link-local addresses from the web server.
- Disable or remove the metadata fetch feature if it is not required by the deployment.
# Example iptables rules to block SSRF egress to internal ranges
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
