CVE-2026-41669

HIGH 8.2

Admidio: SAML Signature Validation Result Ignored — Forged AuthnRequests and LogoutRequests Processed

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

0th

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9.

CWE	CWE-347
Vendor	admidio
Product	admidio
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for admidio admidio

Be the first to know when new high vulnerabilities affecting admidio admidio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Affected Versions

Admidio / admidio

< 5.0.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg github.com: https://github.com/Admidio/admidio/releases/tag/v5.0.9