CVE-2026-41670: Admidio SAML IdP Bypass Exposes User Data

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-20cwe-601
CVE-2026-41670: Admidio SAML IdP Bypass Exposes User Data

The National Vulnerability Database has detailed CVE-2026-41670, a critical vulnerability in Admidio’s open-source user management solution. Prior to version 5.0.9, the SAML Identity Provider (IdP) implementation within Admidio’s Single Sign-On (SSO) module fails to properly validate the AssertionConsumerServiceURL from incoming SAML authentication requests. This allows an attacker to manipulate the SAML response destination.

An attacker, knowing only the Entity ID of a registered Service Provider (SP) client, can craft a malicious SAML AuthnRequest. This forces the Admidio IdP to send the signed SAML response, containing sensitive user attributes like login names, email addresses, roles, and profile fields, to an attacker-controlled URL instead of the legitimate SP. This bypass, rated with a CVSS score of 8.2 (HIGH), highlights a severe risk of information disclosure.

This flaw, categorized under CWE-20 (Improper Input Validation) and CWE-601 (Open Redirect), means that without proper patching, any organization using Admidio for user management is at risk of having their user identities compromised. Admidio has addressed this critical issue in version 5.0.9, and immediate upgrade is essential to mitigate the threat.

What This Means For You

  • If your organization uses Admidio for identity management, you are directly exposed to CVE-2026-41670. Check your Admidio instance version immediately. If it's prior to 5.0.9, you MUST upgrade to version 5.0.9 or later without delay. This vulnerability allows for unauthorized data exfiltration of user identities, which can lead to further account takeovers and broader compromise.

Related ATT&CK Techniques

T1566.003 Phishing: Spearphishing Attachment Initial Access T1078.004 Valid Accounts: Cloud Accounts Initial Access T1200 Hardware Additions Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1566.003 Initial Access

CVE-2026-41670: Admidio SAML IdP AssertionConsumerServiceURL Manipulation

Sigma YAML — free preview 
title: CVE-2026-41670: Admidio SAML IdP AssertionConsumerServiceURL Manipulation
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-41670 by observing SAML AuthnRequest messages that contain a manipulated AssertionConsumerServiceURL parameter. This indicates an attacker is trying to redirect SAML responses to an arbitrary URL, potentially exfiltrating user data.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41670/
tags:
  - attack.initial_access
  - attack.t1566.003
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/saml/idp/metadata.php'
      cs-uri-query|contains:
          - 'AssertionConsumerServiceURL='
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41670 Information Disclosure Admidio SSO module SAML IdP implementation
CVE-2026-41670 Information Disclosure Admidio versions prior to 5.0.9
CVE-2026-41670 Information Disclosure SAML AuthnRequest with arbitrary AssertionConsumerServiceURL

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6214 — The Forminator Forms plugin for WordPress is vulnerable to

CVE-2026-6214 — The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-42194 — Server-Side Request Forgery

CVE-2026-42194 — Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /6.8 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-41671 — Authentication Bypass

CVE-2026-41671 — Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every...

vulnerabilityCVEmedium-severityauthentication-bypasscwe-287
/SCW Vulnerability Desk /MEDIUM /6.8 /⚑ 2 IOCs /⚙ 3 Sigma