<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SimpleSAMLphp SAML2 (6.0.0-6.2.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/simplesamlphp-saml2-6.0.0-6.2.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:27:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/simplesamlphp-saml2-6.0.0-6.2.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>SimpleSAMLphp HTTP-Artifact Authentication Bypass via TLS Validator Confusion (CVE-2026-49283)</title><link>https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-auth-bypass/</link><pubDate>Fri, 03 Jul 2026 11:27:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-auth-bypass/</guid><description>A critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP by leveraging a flaw where `SOAPClient::validateSSL()` fails to properly validate TLS public keys for unsigned SAML Responses.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP. This flaw, present in versions &lt; 4.20.2, &gt;= 5.0.0 &lt; 5.0.6, and &gt;= 6.0.0 &lt; 6.2.1 of the <code>saml2</code> and <code>saml2-legacy</code> packages, occurs because the <code>SOAPClient::validateSSL()</code> method fails to throw an exception when the TLS public key does not match, causing <code>SAML2\Message::validate()</code> to incorrectly deem an unsigned embedded SAML <code>Response</code> as cryptographically valid. This enables the attacker to forge assertion attributes, NameID, and session data, effectively authenticating as arbitrary users from a high-assurance IdP within a multi-IdP or federation deployment. For defenders, this means a compromised or untrusted IdP within their trust circle could gain unauthorized access to Service Providers, violating trust boundaries and leading to significant data breaches or unauthorized system access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A malicious or lower-trust Identity Provider (IdP) crafts an unsigned SAML <code>Response</code> that claims to be issued by a high-trust IdP.</li>
<li>The malicious IdP sends an HTTP-Artifact <code>Response</code> containing this forged <code>SAML Response</code> to the Service Provider (SP).</li>
<li>The SP's SimpleSAMLphp installation receives the HTTP-Artifact <code>Response</code> and initiates its <code>HTTPArtifact::receive()</code> processing flow.</li>
<li>During processing of the <code>ArtifactResponse</code>, the <code>SOAPClient::addSSLValidator()</code> mechanism is invoked, providing a TLS-based validator for the outer SOAP message.</li>
<li>The embedded unsigned SAML <code>Response</code> is then passed to <code>SAML2\Message::validate()</code>, which delegates signature validation to the validator provided by the outer <code>ArtifactResponse</code>.</li>
<li>The <code>SOAPClient::validateSSL()</code> method, when called to validate the embedded SAML <code>Response</code>, returns normally even though the TLS public key does not match the key for the claimed high-trust IdP.</li>
<li>Because <code>SOAPClient::validateSSL()</code> did not throw an exception, <code>SAML2\Message::validate()</code> incorrectly interprets this as successful validation, treating the unsigned embedded SAML <code>Response</code> as cryptographically valid.</li>
<li>The SP then processes this maliciously validated SAML <code>Response</code> using metadata from the claimed high-trust IdP, granting the attacker authentication as arbitrary users from that IdP.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows a malicious or lower-trust IdP within the same SP/federation trust set to authenticate to the Service Provider (SP) as arbitrary users from any higher-trust IdP when the HTTP-Artifact binding is in use. Attackers can choose and forge assertion attributes, <code>NameID</code>, and session data within the unsigned assertion, gaining unauthorized access as legitimate users. This represents a severe authentication bypass and identity-provider impersonation issue, fundamentally undermining the security boundaries in federated environments where the integrity of different IdPs is critical. If exploited, it could lead to widespread unauthorized access, data exfiltration, or further compromise of systems relying on the affected SimpleSAMLphp instances.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-49283 by updating SimpleSAMLphp to a non-vulnerable version immediately:
<ul>
<li><code>composer/simplesamlphp/saml2</code>: Upgrade to <code>6.2.1</code> or later.</li>
<li><code>composer/simplesamlphp/saml2</code>: Upgrade to <code>5.0.6</code> or later for version 5.x branch.</li>
<li><code>composer/simplesamlphp/saml2</code> or <code>composer/simplesamlphp/saml2-legacy</code>: Upgrade to <code>4.20.2</code> or later for version 4.x branch.</li>
</ul>
</li>
<li>Review authentication logs for unusual login patterns or failed authentications originating from specific IdPs, especially if using HTTP-Artifact binding.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>saml</category><category>authentication-bypass</category><category>identity-federation</category></item></channel></rss>