CVE-2026-42194

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9.

References

• https://github.com/Admidio/admidio/releases/tag/v5.0.9
• https://github.com/Admidio/admidio/security/advisories/GHSA-hcjj-chvw-fmw9