[subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Admidio, a web-based application for association management and event planning. The affected versions include all recent releases. These vulnerabilities primarily affect the SAML Single Sign-On (SSO) module, which allows users to authenticate with other applications and services. The vulnerabilities can lead to user identity theft, information disclosure, and scope changes, ultimately enabling impersonation on separate Service Provider applications.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Admidio, a web-based application for association management and event planning. The affected versions include all recent releases. These vulnerabilities primarily affect the SAML Single Sign-On (SSO) module, which allows users to authenticate with other applications and services. The vulnerabilities can lead to user identity theft, information disclosure, and scope changes, ultimately enabling impersonation on separate Service Provider applications.[emaillocker id="1283"]
- CVE-2026-41670 with a CVSS score of 8.2 – A vulnerability in the SAML SSO module allows an attacker to send a SAML response to an unvalidated Assertion Consumer Service URL, leading to user identity theft and information disclosure. An attacker can craft a malicious SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response to an attacker-controlled URL. This vulnerability is exploited by sending a SAML AuthnRequest to Admidio's SSO endpoint, and the attacker receives the signed SAML assertion containing login credentials, email, name, and roles.
- CVE-2026-41669 with a CVSS score of 8.2 – The SAML Identity Provider implementation in Admidio discards the return value of its validateSignature() method at both call sites, making the smc_require_auth_signed configuration option ineffective. Unsigned or invalidly signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This vulnerability is exploited by sending a forged SAML AuthnRequest or LogoutRequest to Admidio's SSO endpoint, and the attacker can bypass signature validation.
- CVE-2026-41660 with a CVSS score of 7.1 – Admidio has an inverted 2FA reset authorization check that lets group leaders strip admin TOTP. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA. This vulnerability is exploited by sending a POST request to Admidio's 2FA reset endpoint with the user ID of an admin account, and the attacker can disable 2FA on the admin account.
The identified vulnerabilities pose a significant risk to Admidio users, as they can lead to user identity theft, information disclosure, and scope changes. The vulnerabilities are relatively easy to exploit, and no privileges are required to exploit them. The business consequences of these vulnerabilities can be severe, including financial losses, reputational damage, and compliance issues.
RECOMMENDATION:
- We recommend you to update Admidio to version 5.0.9.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-p9w9-87c8-m235
https://github.com/advisories/GHSA-25cw-98hg-g3cg
https://github.com/advisories/GHSA-rh3w-4ccx-prf9
[/emaillocker]