CVE-2026-41670

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description The SAML IdP implementation in the SSO module uses the AssertionConsumerServiceURL value from incoming SAML AuthnRequest messages as the destination for the SAML response without validating it against the registered ACS URL (smc acs url) stored in the database for the corresponding service provider client. An attacker who knows the Entity ID of a registered SP client can craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response—containing user identity attributes such as login name, email, roles, and profile fields—to an attacker-controlled URL. This issue occurs in the handleSSORequest() function within the src/SSO/Service/SAMLService.php file and also affects the error response path. If smc require auth signed or smc validate signatures are not enabled, the request is processed without signature verification.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the SSO module or ensure that smc require auth signed and smc validate signatures are enabled for all registered SP clients to increase security, although this does not fully resolve the lack of ACS URL validation.