Saml

A critical vulnerability (CVE-2026-42354) exists in Sentry's SAML SSO implementation that allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance, affecting self-hosted users with multiple organizations configured if a malicious user has permissions to modify SSO settings, while Sentry SaaS was patched in April and self-hosted users are advised to upgrade to version 26.4.1 or higher.

Admidio's SAML Identity Provider implementation fails to properly validate signatures on SAML AuthnRequests and LogoutRequests, enabling attackers to bypass signature enforcement, potentially disclose user attributes via forged SSO requests, and terminate user sessions via forged SLO requests.

A critical vulnerability in Sentry's SAML SSO implementation allows account takeover by exploiting improper authentication when multiple organizations are configured, affecting versions 21.12.0 to 26.2.0 and requiring a malicious SAML Identity Provider and knowledge of the victim's email address.

OneUptime versions prior to 10.0.42 are vulnerable to an authentication bypass due to improper SAML signature validation, allowing attackers to impersonate users by prepending unsigned assertions.

An adversary may delete an AWS SAML provider to disrupt administrative access, hindering incident response and potentially escalating privileges within the AWS environment.

Admidio's SAML IdP implementation in its SSO module is vulnerable to sending SAML responses to unvalidated Assertion Consumer Service URLs, allowing an attacker to craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response, containing user identity attributes, to an attacker-controlled URL, enabling impersonation of the victim user on the legitimate SP by replaying the SAML assertion.

This rule identifies suspicious SAML activity in AWS, such as AssumeRoleWithSAML and UpdateSAMLProvider events, which could indicate an attacker gaining backdoor access, escalating privileges, or establishing persistence.