CVE-2026-41671

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description An issue exists in the OpenID Connect (OIDC) implementation where the token introspection endpoint '/modules/sso/index.php/oidc/introspect' always returns a positive active status regardless of whether the provided token is valid, expired, revoked, or fabricated. This endpoint fails to authenticate the calling resource server and does not validate the submitted token, allowing for a complete authentication bypass on any resource server relying on this endpoint. Additionally, the token revocation endpoint '/oidc/revoke' returns a success response without actually revoking the token, which prevents the invalidation of compromised credentials. The flaw is located within the handleIntrospectionRequest() and handleRevocationRequest() functions in the src/SSO/Service/OIDCService.php file.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the '/modules/sso/index.php/oidc/introspect' and '/oidc/revoke' endpoints to minimize the risk of exploitation.