CVE-2026-32812

MEDIUM

Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint

Title source: cna

Description

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7.

References (3)

[X_Refsource_Confirm] https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73

[X_Refsource_Misc] https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/Admidio/admidio/releases/tag/v5.0.7

Scores

CVSS v3 6.8

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

admidio/admidio 5.0.0 - 5.0.7Packagist

admidio/admidio 5.0.0 - 5.0.7

Admidio/admidio >= 5.0.0, < 5.0.7

Published Mar 20, 2026

Tracked Since Mar 20, 2026