CVE-2026-41669: Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests

April 29, 2026 (updated May 8, 2026)

The Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones.

References

github.com/Admidio/admidio
github.com/Admidio/admidio/releases/tag/v5.0.9
github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg
github.com/advisories/GHSA-25cw-98hg-g3cg
nvd.nist.gov/vuln/detail/CVE-2026-41669

Code Behaviors & Features

Detect and mitigate CVE-2026-41669 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →