CVE-2026-41669HIGH 8.2EPSS p8.9%

CVE-2026-41669CVE-2026-41669

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS0.19% probability of exploitation · percentile 8.9% · 2026-06-18T12:00:27Z
Published2026-05-07
Last modified2026-05-07

Underlying weaknesses· 1

CWE-347

References

  1. https://github.com/Admidio/admidio/releases/tag/v5.0.9
  2. https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg
  3. https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg

1

TypeTargetConfidenceTier
WeaknessImproper Verification of Cryptographic Signaturecwe-3470%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41670
CVE
CVE-2026-41694
CVE
CVE-2026-32756
CVE
CVE-2026-32817
CVE
CVE-2026-41577
CVE
CVE-2026-25922
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.