CVE-2026-41669: Admidio SAML Signature Bypass Puts User Management at Risk

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-347
CVE-2026-41669: Admidio SAML Signature Bypass Puts User Management at Risk

A critical flaw, CVE-2026-41669, has been identified in Admidio, an open-source user management solution. According to the National Vulnerability Database, prior to version 5.0.9, Admidio’s SAML Identity Provider implementation failed to properly validate signatures on both AuthnRequests and LogoutRequests. The underlying validateSignature() method returned error strings on failure, but developers incorrectly assumed it would throw exceptions, leading to the return value being discarded at both call sites.

This oversight renders the smc_require_auth_signed configuration option completely ineffective. Attackers can process unsigned or invalidly-signed SAML requests as if they were legitimate. The National Vulnerability Database has assigned this vulnerability a CVSS score of 8.2 (HIGH), indicating a significant risk. The root cause is a CWE-347, improper verification of cryptographic signature.

While specific affected products beyond Admidio itself were not detailed by the National Vulnerability Database, any organization leveraging Admidio’s SAML Identity Provider for user authentication is exposed. The impact is a complete bypass of SAML signature requirements, enabling unauthorized access or session manipulation if an attacker can intercept and modify SAML assertions.

What This Means For You

  • If your organization uses Admidio with SAML for identity management, this vulnerability is a severe bypass of your authentication integrity. Attackers can craft unsigned or invalidly-signed SAML requests that the system will process as valid. You need to immediately verify your Admidio version and patch to 5.0.9 or higher to ensure SAML signature validation is enforced. This isn't theoretical; it's a direct route to unauthorized access.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1566.002 Phishing: Spearphishing Attachment Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-41669: Admidio SAML Signature Bypass - Unsigned AuthnRequest

Sigma YAML — free preview 
title: CVE-2026-41669: Admidio SAML Signature Bypass - Unsigned AuthnRequest
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  Detects potential exploitation of CVE-2026-41669 by identifying Admidio SAML AuthnRequests that are missing a valid signature. The vulnerability allows processing of unsigned or invalidly-signed SAML requests, enabling an attacker to bypass authentication mechanisms.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41669/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/saml/sp/metadata.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'SAMLRequest='
  selection_unsigned:
      cs-uri-query|contains:
          - 'Signature=' # This is the key: a SAMLRequest without a valid signature
  condition: selection AND selection_unsigned
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41669 Auth Bypass Admidio SAML Identity Provider implementation prior to version 5.0.9
CVE-2026-41669 Auth Bypass Admidio vulnerable function validateSignature() return value discarded
CVE-2026-41669 Auth Bypass Admidio vulnerable call site handleSSORequest() line 418
CVE-2026-41669 Auth Bypass Admidio vulnerable call site handleSLORequest() line 613
CVE-2026-41669 Misconfiguration Admidio smc_require_auth_signed configuration option ineffective

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8063 — Null Pointer Dereference

CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...

vulnerabilityCVEmedium-severitynull-pointer-dereferencecwe-476
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma

WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php

CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...

vulnerabilityCVEhigh-severityremote-code-executioncwe-22
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 5 IOCs /⚙ 3 Sigma

CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability

CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma