CVE-2026-41671

MEDIUM

Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

Title source: cna

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/Admidio/admidio/security/advisories/GHSA-9xx5-cv6j-x533

X_Refsource_Misc x_refsource_misc

https://github.com/Admidio/admidio/releases/tag/v5.0.9

Scores

CVSS v3 6.8

EPSS 0.0032

EPSS Percentile 23.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (2)

admidio/admidio 0 - 5.0.9Packagist

Admidio/admidio < 5.0.9

Published May 07, 2026

Tracked Since May 07, 2026