{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/simplesamlphp--2.5.0--2.5.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["simplesamlphp (\u003e= 2.5.0, \u003c= 2.5.1)","simplesamlphp (\u003c= 2.4.6)"],"_cs_severities":["high"],"_cs_tags":["saml","vulnerability","web-application","authentication-bypass","authorization-bypass"],"_cs_type":"advisory","_cs_vendors":["SimpleSAMLphp"],"content_html":"\u003cp\u003eA vulnerability (CVE-2026-49284) has been identified in SimpleSAMLphp affecting versions up to 2.4.6 and between 2.5.0 and 2.5.1. This flaw stems from the Service Provider (SP) failing to enforce the intended Identity Provider (IdP) during an SP-initiated login, particularly in multi-IdP environments. Specifically, if a saved SP state expects a response from IdP A, but the Assertion Consumer Service (ACS) receives a valid SAML response from a different IdP (IdP B), SimpleSAMLphp logs a warning but proceeds to process the response. This behavior is critical when combined with the SP's handling of unsigned \u003ccode\u003esamlp:Response/@InResponseTo\u003c/code\u003e elements outside of signed assertions, especially if the signed assertion's \u003ccode\u003eSubjectConfirmationData\u003c/code\u003e lacks its own \u003ccode\u003eInResponseTo\u003c/code\u003e. This combination allows an attacker to bind a response from a trusted, but potentially lower-trust, IdP to SP state originally created for a higher-trust IdP, leading to authentication and authorization bypasses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / User Impersonation:\u003c/strong\u003e A legitimate user initiates an SP-initiated SAML login request to a SimpleSAMLphp SP, which expects authentication from a specific high-trust IdP (IdP A).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Intercepts/Manipulates Flow:\u003c/strong\u003e An attacker manipulates the SAML exchange, potentially redirecting the user or crafting a SAML response from a trusted, but lower-assurance, IdP (IdP B) that the SP also trusts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCrafted SAML Response:\u003c/strong\u003e The attacker generates a SAML response from IdP B. This response contains a valid, signed assertion but deliberately omits the \u003ccode\u003eInResponseTo\u003c/code\u003e attribute within \u003ccode\u003eSubjectConfirmationData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnsigned Response-Level \u003ccode\u003eInResponseTo\u003c/code\u003e:\u003c/strong\u003e The attacker also includes an unsigned \u003ccode\u003esamlp:Response/@InResponseTo\u003c/code\u003e attribute in the overall SAML response, which matches the expected value from the SP-initiated request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSimpleSAMLphp Processing Flaw:\u003c/strong\u003e The SimpleSAMLphp SP receives this crafted SAML response. Despite the \u003ccode\u003eExpectedIssuer\u003c/code\u003e in its saved state pointing to IdP A, it processes the response from IdP B because the assertion is validly signed and the \u003ccode\u003eInResponseTo\u003c/code\u003e checks are bypassed by the combination of missing \u003ccode\u003eSubjectConfirmationData/InResponseTo\u003c/code\u003e and unsigned \u003ccode\u003eResponse/InResponseTo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdP Mismatch Ignored:\u003c/strong\u003e The SP issues a warning about the IdP mismatch but continues processing, accepting the authentication from IdP B.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication/Authorization Bypass:\u003c/strong\u003e The user is authenticated by the SP as if they had logged in via IdP A, potentially bypassing intended authorization checks or gaining access with different trust levels than expected.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access / Privilege Escalation:\u003c/strong\u003e If the application's authorization relies on the specific IdP used for login or its associated trust level, the attacker achieves unauthorized access or privilege escalation within the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability significantly impacts deployments where SimpleSAMLphp functions as a Service Provider (SP) and trusts multiple Identity Providers (IdPs) with varying levels of assurance, different tenant boundaries, or distinct attribute namespaces. The primary consequence is an authentication and authorization bypass, enabling a lower-trust IdP to satisfy SP state created for a higher-trust or specific expected IdP. This can subvert security mechanisms designed to route users to particular IdPs, including configurations with \u003ccode\u003eenable_unsolicited\u003c/code\u003e set to \u003ccode\u003efalse\u003c/code\u003e. Attackers could gain unauthorized access or escalate privileges within the application if authorization decisions are tied to the selected IdP or its trust context. The severity of the impact is contingent on the attacker's ability to obtain signed IdP-initiated assertions from a trusted, but less secure, IdP and how application authorization maps user identifiers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SimpleSAMLphp to a patched version immediately to remediate \u003ccode\u003eCVE-2026-49284\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview your SimpleSAMLphp \u003ccode\u003esp-remote\u003c/code\u003e configurations for any multi-IdP deployments that might be affected by \u003ccode\u003eCVE-2026-49284\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:11:00Z","date_published":"2026-07-03T11:11:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-idp-bypass/","summary":"SimpleSAMLphp's Service Provider (SP) does not properly enforce the expected Identity Provider (IdP) for an SP-initiated login when a response from a different IdP is received, allowing an attacker to exploit CVE-2026-49284 in multi-IdP deployments to bypass authentication and authorization controls by substituting a lower-trust IdP's response for a higher-trust one, potentially gaining unauthorized access or elevating privileges if application authorization relies on the specific IdP used.","title":"SimpleSAMLphp SP IdP Bypass Vulnerability (CVE-2026-49284)","url":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-idp-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Simplesamlphp (\u003e= 2.5.0, \u003c= 2.5.1)","version":"https://jsonfeed.org/version/1.1"}