CVE-2026-42194

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description An incomplete fix for Server-Side Request Forgery (SSRF) in the fetch metadata.php file allows for DNS rebinding. The system validates the resolved IP address but passes the original hostname-based URL to the curl init() function. This creates a Time-of-Check to Time-of-Use (TOCTOU) window—a race condition where a system checks a condition and then uses the result, but the condition changes in between—allowing requests to be redirected to internal IP addresses. Specifically, the gethostbyname() function is used for validation, but because CURLOPT RESOLVE is not set to pin the hostname to the validated IP, cURL resolves the hostname again independently. This can be exploited to access internal services, such as the instance metadata service at 169.254.169.254 on cloud-hosted instances to steal IAM credentials, or to scan internal networks and localhost services in on-premise deployments.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the fetch metadata.php file to minimize the risk of exploitation.