User Management Solution Vulnerability in Admidio by Admidio
CVE-2026-42194

6.8MEDIUM

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-42194?

Admidio, an open-source user management solution, contains a vulnerability in fetch_metadata.php that allows a Server-Side Request Forgery attack due to an incomplete fix. The validated resolved IP address does not prevent attackers from passing the original hostname-based URL to curl_init(), creating a time-of-check to time-of-use (TOCTOU) window. This vulnerability could enable redirection of requests to internal IPs, potentially exposing sensitive data. It has been resolved in version 5.0.9.

Affected Version(s)

admidio < 5.0.9

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Admidio/admidio/releases/tag/v5.0.9

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42194 Data

JSON