High severity8.2GHSA Advisory· Published May 7, 2026· Updated May 7, 2026

CVE-2026-41669

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
admidio/admidioPackagist	< 5.0.9	5.0.9

Affected products

Admidio/AdmidioGHSA
Range: <= 5.0.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-25cw-98hg-g3cgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41669ghsaADVISORY
github.com/Admidio/admidio/releases/tag/v5.0.9nvdWEB
github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cgnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000