Product
SimpleSAMLphp's Service Provider (SP) does not properly enforce the expected Identity Provider (IdP) for an SP-initiated login when a response from a different IdP is received, allowing an attacker to exploit CVE-2026-49284 in multi-IdP deployments to bypass authentication and authorization controls by substituting a lower-trust IdP's response for a higher-trust one, potentially gaining unauthorized access or elevating privileges if application authorization relies on the specific IdP used.