Admidio OIDC Token Introspection and Revocation Endpoint Vulnerability Allowing Authentication Bypass

A vulnerability exists in Admidio's OIDC token introspection and revocation endpoints prior to version 5.0.9. The introspection endpoint incorrectly validates tokens, always returning {'active': true'} regardless of the token's validity. This flaw allows resource servers to accept fabricated tokens as valid, bypassing authentication. Additionally, the revocation endpoint falsely claims to revoke tokens without actually doing so, leaving compromised tokens active until expiration.

Impact

Exploitation of this vulnerability bypasses authentication on resource servers that rely on the Admidio OIDC introspection endpoint for token validation. This allows attackers to use fake tokens to gain unauthorized access. Furthermore, the inability to properly revoke tokens through the OIDC revocation endpoint means that stolen tokens remain valid until they naturally expire, creating a prolonged security risk.

Reproduction

To reproduce this vulnerability, send a POST request to the OIDC token introspection endpoint with any string as the token. The response will always be {'active': true}, indicating that the endpoint accepts invalid tokens. This can be verified by also sending a request to the revocation endpoint, which will return {'revoked': true'} without actually revoking the token, allowing it to be used indefinitely until it expires.

Remediation

Users are advised to update Admidio to version 5.0.9 or later, where this vulnerability has been patched.