Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint
Description
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Admidio 5.0.0–5.0.6 SSO metadata endpoint allows authenticated admins to read local files and perform SSRF via unrestricted URL fetch.
Vulnerability
Admidio versions 5.0.0 through 5.0.6 contain an unrestricted URL fetch vulnerability in the SSO Metadata API endpoint at modules/sso/fetch_metadata.php. The endpoint accepts a URL via the $_GET['url'] parameter and validates it only with PHP's FILTER_VALIDATE_URL, which is a format validator that permits dangerous schemes such as file://, http://, ftp://, data://, and php://. The URL is then passed directly to file_get_contents() without further sanitization, allowing an authenticated administrator to read arbitrary local files or make requests to internal services [1][2].
Exploitation
An attacker with administrator privileges can supply a URL like file:///etc/passwd to read local files, or http://127.0.0.1/ to perform Server-Side Request Forgery (SSRF) against internal services. The file:// wrapper does not require allow_url_fopen to be enabled, making local file reads reliably exploitable. The full response body is returned verbatim is returned to the caller, enabling data exfiltration [2].
Impact
Successful exploitation can lead to disclosure of sensitive local files (e.g., configuration files, credentials), SSRF attacks against internal networks or cloud instance metadata endpoints (e.g., AWS http://169.254.169.254/latest/meta-data/), and potential lateral movement within the infrastructure [1][2].
Mitigation
The issue has been fixed in Admidio version 5.0.7. The patch restricts the allowed scheme to https:// only, validates that the resolved IP is not in private or reserved ranges, and replaces file_get_contents() with curl configured to enforce HTTPS-only connections [4]. Users should upgrade immediately.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6j68-gcc3-mq73ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32812ghsaADVISORY
- github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185aghsax_refsource_MISCWEB
- github.com/Admidio/admidio/releases/tag/v5.0.7ghsax_refsource_MISCWEB
- github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.