{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/simplesamlphp-saml2-6.0.0-6.2.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SimpleSAMLphp SAML2 (6.0.0-6.2.0)","SimpleSAMLphp SAML2 (5.0.0-5.0.5)","SimpleSAMLphp SAML2 (\u003c4.20.2)","SimpleSAMLphp SAML2-Legacy (\u003c4.20.2)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","saml","authentication-bypass","identity-federation"],"_cs_type":"advisory","_cs_vendors":["SimpleSAMLphp"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP. This flaw, present in versions \u0026lt; 4.20.2, \u0026gt;= 5.0.0 \u0026lt; 5.0.6, and \u0026gt;= 6.0.0 \u0026lt; 6.2.1 of the \u003ccode\u003esaml2\u003c/code\u003e and \u003ccode\u003esaml2-legacy\u003c/code\u003e packages, occurs because the \u003ccode\u003eSOAPClient::validateSSL()\u003c/code\u003e method fails to throw an exception when the TLS public key does not match, causing \u003ccode\u003eSAML2\\Message::validate()\u003c/code\u003e to incorrectly deem an unsigned embedded SAML \u003ccode\u003eResponse\u003c/code\u003e as cryptographically valid. This enables the attacker to forge assertion attributes, NameID, and session data, effectively authenticating as arbitrary users from a high-assurance IdP within a multi-IdP or federation deployment. For defenders, this means a compromised or untrusted IdP within their trust circle could gain unauthorized access to Service Providers, violating trust boundaries and leading to significant data breaches or unauthorized system access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or lower-trust Identity Provider (IdP) crafts an unsigned SAML \u003ccode\u003eResponse\u003c/code\u003e that claims to be issued by a high-trust IdP.\u003c/li\u003e\n\u003cli\u003eThe malicious IdP sends an HTTP-Artifact \u003ccode\u003eResponse\u003c/code\u003e containing this forged \u003ccode\u003eSAML Response\u003c/code\u003e to the Service Provider (SP).\u003c/li\u003e\n\u003cli\u003eThe SP's SimpleSAMLphp installation receives the HTTP-Artifact \u003ccode\u003eResponse\u003c/code\u003e and initiates its \u003ccode\u003eHTTPArtifact::receive()\u003c/code\u003e processing flow.\u003c/li\u003e\n\u003cli\u003eDuring processing of the \u003ccode\u003eArtifactResponse\u003c/code\u003e, the \u003ccode\u003eSOAPClient::addSSLValidator()\u003c/code\u003e mechanism is invoked, providing a TLS-based validator for the outer SOAP message.\u003c/li\u003e\n\u003cli\u003eThe embedded unsigned SAML \u003ccode\u003eResponse\u003c/code\u003e is then passed to \u003ccode\u003eSAML2\\Message::validate()\u003c/code\u003e, which delegates signature validation to the validator provided by the outer \u003ccode\u003eArtifactResponse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSOAPClient::validateSSL()\u003c/code\u003e method, when called to validate the embedded SAML \u003ccode\u003eResponse\u003c/code\u003e, returns normally even though the TLS public key does not match the key for the claimed high-trust IdP.\u003c/li\u003e\n\u003cli\u003eBecause \u003ccode\u003eSOAPClient::validateSSL()\u003c/code\u003e did not throw an exception, \u003ccode\u003eSAML2\\Message::validate()\u003c/code\u003e incorrectly interprets this as successful validation, treating the unsigned embedded SAML \u003ccode\u003eResponse\u003c/code\u003e as cryptographically valid.\u003c/li\u003e\n\u003cli\u003eThe SP then processes this maliciously validated SAML \u003ccode\u003eResponse\u003c/code\u003e using metadata from the claimed high-trust IdP, granting the attacker authentication as arbitrary users from that IdP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows a malicious or lower-trust IdP within the same SP/federation trust set to authenticate to the Service Provider (SP) as arbitrary users from any higher-trust IdP when the HTTP-Artifact binding is in use. Attackers can choose and forge assertion attributes, \u003ccode\u003eNameID\u003c/code\u003e, and session data within the unsigned assertion, gaining unauthorized access as legitimate users. This represents a severe authentication bypass and identity-provider impersonation issue, fundamentally undermining the security boundaries in federated environments where the integrity of different IdPs is critical. If exploited, it could lead to widespread unauthorized access, data exfiltration, or further compromise of systems relying on the affected SimpleSAMLphp instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-49283 by updating SimpleSAMLphp to a non-vulnerable version immediately:\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003ecomposer/simplesamlphp/saml2\u003c/code\u003e: Upgrade to \u003ccode\u003e6.2.1\u003c/code\u003e or later.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecomposer/simplesamlphp/saml2\u003c/code\u003e: Upgrade to \u003ccode\u003e5.0.6\u003c/code\u003e or later for version 5.x branch.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecomposer/simplesamlphp/saml2\u003c/code\u003e or \u003ccode\u003ecomposer/simplesamlphp/saml2-legacy\u003c/code\u003e: Upgrade to \u003ccode\u003e4.20.2\u003c/code\u003e or later for version 4.x branch.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eReview authentication logs for unusual login patterns or failed authentications originating from specific IdPs, especially if using HTTP-Artifact binding.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:27:06Z","date_published":"2026-07-03T11:27:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-auth-bypass/","summary":"A critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP by leveraging a flaw where `SOAPClient::validateSSL()` fails to properly validate TLS public keys for unsigned SAML Responses.","title":"SimpleSAMLphp HTTP-Artifact Authentication Bypass via TLS Validator Confusion (CVE-2026-49283)","url":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - SimpleSAMLphp SAML2 (6.0.0-6.2.0)","version":"https://jsonfeed.org/version/1.1"}