<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Simplesamlphp (&gt;= 2.5.0, &lt;= 2.5.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/simplesamlphp--2.5.0--2.5.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:11:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/simplesamlphp--2.5.0--2.5.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>SimpleSAMLphp SP IdP Bypass Vulnerability (CVE-2026-49284)</title><link>https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-idp-bypass/</link><pubDate>Fri, 03 Jul 2026 11:11:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-idp-bypass/</guid><description>SimpleSAMLphp's Service Provider (SP) does not properly enforce the expected Identity Provider (IdP) for an SP-initiated login when a response from a different IdP is received, allowing an attacker to exploit CVE-2026-49284 in multi-IdP deployments to bypass authentication and authorization controls by substituting a lower-trust IdP's response for a higher-trust one, potentially gaining unauthorized access or elevating privileges if application authorization relies on the specific IdP used.</description><content:encoded><![CDATA[<p>A vulnerability (CVE-2026-49284) has been identified in SimpleSAMLphp affecting versions up to 2.4.6 and between 2.5.0 and 2.5.1. This flaw stems from the Service Provider (SP) failing to enforce the intended Identity Provider (IdP) during an SP-initiated login, particularly in multi-IdP environments. Specifically, if a saved SP state expects a response from IdP A, but the Assertion Consumer Service (ACS) receives a valid SAML response from a different IdP (IdP B), SimpleSAMLphp logs a warning but proceeds to process the response. This behavior is critical when combined with the SP's handling of unsigned <code>samlp:Response/@InResponseTo</code> elements outside of signed assertions, especially if the signed assertion's <code>SubjectConfirmationData</code> lacks its own <code>InResponseTo</code>. This combination allows an attacker to bind a response from a trusted, but potentially lower-trust, IdP to SP state originally created for a higher-trust IdP, leading to authentication and authorization bypasses.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / User Impersonation:</strong> A legitimate user initiates an SP-initiated SAML login request to a SimpleSAMLphp SP, which expects authentication from a specific high-trust IdP (IdP A).</li>
<li><strong>Attacker Intercepts/Manipulates Flow:</strong> An attacker manipulates the SAML exchange, potentially redirecting the user or crafting a SAML response from a trusted, but lower-assurance, IdP (IdP B) that the SP also trusts.</li>
<li><strong>Crafted SAML Response:</strong> The attacker generates a SAML response from IdP B. This response contains a valid, signed assertion but deliberately omits the <code>InResponseTo</code> attribute within <code>SubjectConfirmationData</code>.</li>
<li><strong>Unsigned Response-Level <code>InResponseTo</code>:</strong> The attacker also includes an unsigned <code>samlp:Response/@InResponseTo</code> attribute in the overall SAML response, which matches the expected value from the SP-initiated request.</li>
<li><strong>SimpleSAMLphp Processing Flaw:</strong> The SimpleSAMLphp SP receives this crafted SAML response. Despite the <code>ExpectedIssuer</code> in its saved state pointing to IdP A, it processes the response from IdP B because the assertion is validly signed and the <code>InResponseTo</code> checks are bypassed by the combination of missing <code>SubjectConfirmationData/InResponseTo</code> and unsigned <code>Response/InResponseTo</code>.</li>
<li><strong>IdP Mismatch Ignored:</strong> The SP issues a warning about the IdP mismatch but continues processing, accepting the authentication from IdP B.</li>
<li><strong>Authentication/Authorization Bypass:</strong> The user is authenticated by the SP as if they had logged in via IdP A, potentially bypassing intended authorization checks or gaining access with different trust levels than expected.</li>
<li><strong>Unauthorized Access / Privilege Escalation:</strong> If the application's authorization relies on the specific IdP used for login or its associated trust level, the attacker achieves unauthorized access or privilege escalation within the application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability significantly impacts deployments where SimpleSAMLphp functions as a Service Provider (SP) and trusts multiple Identity Providers (IdPs) with varying levels of assurance, different tenant boundaries, or distinct attribute namespaces. The primary consequence is an authentication and authorization bypass, enabling a lower-trust IdP to satisfy SP state created for a higher-trust or specific expected IdP. This can subvert security mechanisms designed to route users to particular IdPs, including configurations with <code>enable_unsolicited</code> set to <code>false</code>. Attackers could gain unauthorized access or escalate privileges within the application if authorization decisions are tied to the selected IdP or its trust context. The severity of the impact is contingent on the attacker's ability to obtain signed IdP-initiated assertions from a trusted, but less secure, IdP and how application authorization maps user identifiers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade SimpleSAMLphp to a patched version immediately to remediate <code>CVE-2026-49284</code>.</li>
<li>Review your SimpleSAMLphp <code>sp-remote</code> configurations for any multi-IdP deployments that might be affected by <code>CVE-2026-49284</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>saml</category><category>vulnerability</category><category>web-application</category><category>authentication-bypass</category><category>authorization-bypass</category></item></channel></rss>