Server-side request forgery (SSRF) In admidio/admidio
Description
Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
Summary
The incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs.
Affected Package
Ecosystem: Other
Package: admidio
Affected versions: < commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a
Patched versions: >= commit f6b7a966abe4d75e9f707d665d7b4b5570e3185a
Severity
Medium
CWE
CWE-918 — Server-Side Request Forgery (SSRF)
Details
In modules/sso/fetch_metadata.php (lines 21-49), the SSO metadata fetch validates the URL scheme is HTTPS (line 21), runs filter_var($rawUrl, FILTER_VALIDATE_URL) (line 27), resolves the hostname via gethostbyname() and checks the IP against private/reserved ranges (lines 34-38), then passes the original URL with the hostname to curl_init($url) at line 41.
The fundamental problem is at step 4: cURL resolves the hostname again independently. Between gethostbyname() at step 3 and curl_exec() at step 4, a DNS rebinding attack can cause the hostname to resolve to 169.254.169.254 (AWS metadata), 127.0.0.1, or any other internal address. No CURLOPT_RESOLVE is set to pin the hostname to the validated IP.
The TOCTOU window between gethostbyname() and curl_exec() is the core issue, and the patch does not close it.
PoC
#!/usr/bin/env python3 """ CVE-2026-32812 - Admidio SSRF via DNS Rebinding in fetch_metadata.php Vulnerability: modules/sso/fetch_metadata.php resolves hostname via gethostbyname() and checks if IP is private, but passes the ORIGINAL URL (with hostname) to curl_init(). DNS rebinding can cause hostname to resolve to internal IP when cURL actually connects. ...
Steps to reproduce:
Place the vulnerable fetch_metadata.php source in the same directory.
Ensure PHP CLI is installed, then run python3 poc.py.
Observe the TOCTOU window where cURL receives a hostname instead of the validated IP.
Expected output:
VULNERABILITY CONFIRMED curl_init() uses the original hostname-based URL while IP validation used gethostbyname(), leaving a DNS rebinding TOCTOU window.
Impact
An attacker can exploit the SSO metadata fetch endpoint to make the Admidio server issue HTTPS requests to internal services. On cloud-hosted instances, this enables reading the instance metadata service (169.254.169.254) to steal IAM credentials. On-premise deployments can be used to scan internal networks or access localhost services.
Suggested Remediation
Use CURLOPT_RESOLVE to pin the hostname to the IP address returned by gethostbyname(), ensuring cURL connects to the exact IP that was validated:
$resolve = ["$host:443:$ip"]; curl_setopt($ch, CURLOPT_RESOLVE, $resolve);
Resources
Incomplete fix commit: https://github.com/Admidio/admidio/commit/f6b7a966abe4d75e9f707d665d7b4b5570e3185a
Original CVE: CVE-2026-32812
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | admidio/admidio | 5.0.9 |
Aliases
References