CVE-2026-41671

MEDIUM 6.8

Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

CVSS Score

6.8

EPSS Score

0.0%

EPSS Percentile

0th

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9.

CWE	CWE-287
Vendor	admidio
Product	admidio
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for admidio admidio

Be the first to know when new medium vulnerabilities affecting admidio admidio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

Admidio / admidio

< 5.0.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Admidio/admidio/security/advisories/GHSA-9xx5-cv6j-x533 github.com: https://github.com/Admidio/admidio/releases/tag/v5.0.9