Authentication Bypass Vulnerability in Admidio User Management Solution
CVE-2026-41671

6.8MEDIUM

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41671?

Admidio, an open-source user management solution, contains a significant vulnerability affecting its OIDC token introspection and revocation endpoints. Versions prior to 5.0.9 do not correctly validate tokens, leading to a scenario where any request to the introspection endpoint returns a status of active without checking the token's validity. This flaw allows unauthorized access as any resource server using this endpoint can misinterpret the token's legitimacy. Equally concerning is the revocation endpoint, which fails to revoke tokens as intended, allowing compromised credentials to remain usable indefinitely. Users are strongly encouraged to upgrade to version 5.0.9 to mitigate these serious security risks.

Affected Version(s)

admidio < 5.0.9

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Admidio/admidio/releases/tag/v5.0.9

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41671 Data

JSON