MEDIUM SeverityCVSS 3.16.8CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CVE-2026-42194

Last updated May 07, 2026 · Published May 07, 2026

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9.

Affected products

1 listed

Admidio:admidio

Mappings

CWE

CWE-918

CAPEC

None listed.

Research

Server-Side Request Forgery (SSRF)Explains how untrusted URLs can make servers reach internal or cloud metadata endpoints. Covers validation,…

Guides

Next.js SSRF ProtectionCommon SSRF paths in Next.js and how to block them.

Training

SSRF and Request ForgeryWhen your server makes requests on behalf of an attacker.
API Design That Defends ItselfREST, GraphQL, and gRPC patterns that reduce your attack surface by design.

CVE-2026-42194

Description

Affected products

Mappings

Related