CVE-2026-42194

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N                                    

Vulnerability Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9.

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 07, 2026

CWE ID

CWE-918

Source

GitHub

Vendor

composer

Product

admidio/admidio

External References

https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73
https://github.com/Admidio/admidio/security/advisories/GHSA-hcjj-chvw-fmw9
https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a
https://github.com/advisories/GHSA-hcjj-chvw-fmw9

CVE-2026-42194

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment