{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32812", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.696Z", "datePublished": "2026-03-20T01:58:05.390Z", "dateUpdated": "2026-03-20T18:08:53.629Z"}, "containers": {"cna": {"title": "Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73"}, {"name": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a"}, {"name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": ">= 5.0.0, < 5.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:58:29.741Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7."}], "source": {"advisory": "GHSA-6j68-gcc3-mq73", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:55:19.648121Z", "id": "CVE-2026-32812", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:08:53.629Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32812", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T16:55:19.648121Z"}}}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:55:29.311Z"}}], "cna": {"title": "Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint", "source": {"advisory": "GHSA-6j68-gcc3-mq73", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"status": "affected", "version": ">= 5.0.0, < 5.0.7"}]}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a", "name": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:58:29.741Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32812", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:08:53.629Z", "dateReserved": "2026-03-16T17:35:36.696Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T01:58:05.390Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7."}], "id": "CVE-2026-32812", "lastModified": "2026-03-20T19:16:17.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:35.043", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a"}, {"source": "security-advisories@github.com", "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-03-20T03:50:36.891024+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch by upgrading to Admidio v5.0.7 or later."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via SSRF and LFI"}, "threat_synthesis": {"affected_systems": "All installations of Admidio running versions 5.0.0 through 5.0.6 are affected. The vulnerability was fixed in release 5.0.7; no other versions are known to contain the flaw.", "description_and_impact": "Unrestricted URL fetch in Admidio v5.0.0\u20135.0.6 allows an authenticated administrator to supply any URL to modules/sso/fetch_metadata.php via the GET parameter 'url'. The endpoint validates the URL only with PHP's FILTER_VALIDATE_URL, which accepts file://, http://, ftp://, data://, and php:// schemes, and then passes the value directly to file_get_contents(). This creates both a Server\u2011Side Request Forgery (SSRF) and a Local File Read (LFI) weakness (CWE\u2011918). If the 'file://' scheme is used, the attacker can read arbitrary local files; if 'http://' is used against internal services the attacker can discover or reach them; and any returned content is served back to the caller without modification, providing a direct information\u2011leak channel.", "risk_and_exploitability": "The CVSS base score for this vulnerability is 6.8 (Moderate). EPSS data is not available and the issue is not listed in the CISA KEV catalog. The attack vector is internal and requires authenticated administrator access to the SSO Metadata endpoint, although an attacker could gain such access through credential compromise or exploitation of related authentication weaknesses. Given the moderate score and lack of public exploitation data, the overall risk is considered moderate, but the potential for serious confidentiality loss makes immediate remediation advisable."}}}}, "created": "2026-03-20T08:53:10.783664+00:00", "updated": "2026-03-20T10:43:04.167177+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}