Unrestricted URL Fetch in Admidio Open Source User Management Solution
CVE-2026-32812

6.8MEDIUM

Key Information:

Vendor

Admidio

Status
Admidio
Vendor
CVE Published:
20 March 2026

What is CVE-2026-32812?

The Admidio user management solution includes a vulnerability in versions 5.0.0 to 5.0.6 that permits unrestricted URL fetching via the SSO Metadata API. The affected endpoint allows an authenticated administrator to manipulate requests by passing arbitrary URLs through a poorly validated input process. The lack of rigorous validation means that malicious users can exploit this to perform Server-Side Request Forgery (SSRF) or gain unauthorized access to sensitive local files. This poses significant risks as it can expose confidential data or internal services. The issue has been resolved in version 5.0.7.

Affected Version(s)

admidio >= 5.0.0, < 5.0.7

References

https://github.com/Admidio/admidio/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/Admidio/admidio/commit/f6b7a966abe4d75...
x_refsource_MISC
https://github.com/Admidio/admidio/releases/tag/v5.0.7
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.