{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32812", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.696Z", "datePublished": "2026-03-20T01:58:05.390Z", "dateUpdated": "2026-03-20T18:08:53.629Z"}, "containers": {"cna": {"title": "Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73"}, {"name": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a"}, {"name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": ">= 5.0.0, < 5.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:58:29.741Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7."}], "source": {"advisory": "GHSA-6j68-gcc3-mq73", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:55:19.648121Z", "id": "CVE-2026-32812", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:08:53.629Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32812", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T16:55:19.648121Z"}}}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:55:29.311Z"}}], "cna": {"title": "Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint", "source": {"advisory": "GHSA-6j68-gcc3-mq73", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"status": "affected", "version": ">= 5.0.0, < 5.0.7"}]}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a", "name": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:58:29.741Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32812", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:08:53.629Z", "dateReserved": "2026-03-16T17:35:36.696Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T01:58:05.390Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "matchCriteriaId": "4020E2FE-8E51-405F-86CB-DAAFBA7FD9B3", "versionEndExcluding": "5.0.7", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7."}], "id": "CVE-2026-32812", "lastModified": "2026-03-23T15:24:40.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:35.043", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-03-23T16:29:19.703921+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to update Admidio to version 5.0.7 or later.", "If patching cannot be performed immediately, consider restricting or disabling access to the SSO metadata fetch endpoint for non\u2011essential administrators or by using network segmentation.", "Verify that the file:// wrapper is disabled on the web server if possible to prevent local file reads."], "summary": {"action": "Immediate Patch", "impact": "SSRF and Local File Read leading to sensitive data exposure"}, "threat_synthesis": {"affected_systems": "Admidio user management solution versions 5.0.0 through 5.0.6 are affected. The fix was applied in version 5.0.7. Only authenticated administrators have access to the vulnerable endpoint.", "description_and_impact": "The vulnerability is an unrestricted URL fetch in the SSO Metadata API. It accepts an arbitrary URL via the GET parameter and forwards it directly to file_get_contents after only a basic FILTER_VALIDATE_URL check, which permits file://, http://, ftp://, data://, and php:// scheme URIs. As a result, an attacker can trigger Server\u2011Side Request Forgery to reach internal services and can read arbitrary local files, including cloud instance metadata. The weakness is identified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 6.8 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. However, exploitation requires administrative credentials, which limits the attack surface. If a privileged user is compromised, the attacker could read sensitive data or access internal services via SSRF. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation at this time."}}}}, "created": "2026-03-20T08:53:10.783664+00:00", "updated": "2026-03-25T14:09:40.266779+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}