Main Vulnerability Database Vulnerabilities #VU127170

Improper Verification of Cryptographic Signature in Admidio - CVE-2026-41669

Published: April 23, 2026

Vulnerability identifier: #VU127170

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-41669

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Admidio

Affected software:
Admidio

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass signature verification and process forged SAML AuthnRequests and LogoutRequests.

The vulnerability exists due to improper verification of cryptographic signature in the SAMLService handleSSORequest() and handleSLORequest() logic when processing SAML requests. A remote attacker can send specially crafted unsigned or invalidly signed SAML requests to bypass signature verification and process forged SAML AuthnRequests and LogoutRequests.

For SSO requests, exploitation can cause disclosure of user attributes to an attacker-controlled AssertionConsumerServiceURL for users with an active session. For SLO requests, exploitation can terminate the targeted user's session and trigger cascading single logout across registered service providers.

How to mitigate CVE-2026-41669

Install security update from vendor's website.

Improper Verification of Cryptographic Signature in Admidio - CVE-2026-41669

Detailed vulnerability description

How to mitigate CVE-2026-41669

Sources

Please verify you're human