Saml — CraftedSignal Threat Feed

Sentry SAML SSO Improper Authentication Allows User Identity Linking

hello@craftedsignal.io — Thu, 30 Apr 2026 20:45:20 +0000

A critical vulnerability, CVE-2026-42354, has been identified in the SAML Single Sign-On (SSO) implementation of Sentry, potentially allowing an attacker to compromise user accounts. This vulnerability stems from improper authentication during the SAML SSO process, leading to the possibility of user identity linking. The vulnerability affects Sentry versions 21.12.0 up to and including 26.4.0. To exploit this vulnerability, an attacker requires a malicious SAML Identity Provider and access to another organization within the same Sentry instance, coupled with knowledge of the victim’s email address. This attack vector poses a significant risk to self-hosted Sentry instances that are configured with multiple organizations (SENTRY_SINGLE_ORGANIZATION = False), where a malicious user possesses the necessary permissions to modify SSO settings for a different organization. Sentry SaaS has already been patched in April.

Attack Chain

The attacker gains access to a Sentry instance that has multiple organizations configured.
The attacker obtains permissions to modify the SAML SSO settings of at least one organization within the Sentry instance.
The attacker crafts a malicious SAML Identity Provider (IdP) designed to inject or manipulate user identity attributes.
The attacker uses the malicious SAML IdP to initiate a single sign-on (SSO) process to a Sentry organization they control.
The attacker provides the email address of the targeted victim, linking the victim’s identity in the Sentry instance to the malicious SAML IdP.
The victim attempts to log in to their Sentry account through SAML SSO.
Due to the vulnerability, Sentry incorrectly authenticates the victim based on the attributes provided by the attacker’s malicious SAML IdP.
The attacker successfully takes over the victim’s account, gaining access to sensitive data and functionalities associated with the victim’s privileges.

Impact

Successful exploitation of this vulnerability can lead to complete account takeover, resulting in unauthorized access to sensitive project data, configuration settings, and potentially even administrative privileges within the Sentry instance. This poses a substantial risk to organizations using vulnerable Sentry versions, as attackers could exfiltrate sensitive information, modify configurations, or disrupt services. The impact is particularly severe for self-hosted Sentry instances with multiple organizations, where a single compromised account could lead to broader access across the entire platform.

Recommendation

Upgrade self-hosted Sentry instances to version 26.4.1 or higher to patch CVE-2026-42354.
Enable user account-based two-factor authentication (2FA) for all Sentry accounts as a preventative measure, as mentioned in the Workarounds section.
Monitor Sentry audit logs for any unauthorized changes to SAML SSO configurations, particularly within multi-organization setups, to detect potential exploitation attempts.
Review and restrict permissions for modifying SSO settings across all organizations to minimize the attack surface, as described in the Overview.

Admidio SAML Signature Validation Bypass Allows Forged AuthnRequests and LogoutRequests

hello@craftedsignal.io — Wed, 29 Apr 2026 21:56:13 +0000

Admidio, a free web-based content management system for organizations and groups, contains a critical vulnerability in its SAML Single Sign-On (SSO) implementation. The validateSignature() method within the SAMLService class returns error strings upon signature validation failure, rather than throwing exceptions. The calling functions, handleSSORequest() and handleSLORequest(), incorrectly assume that the method throws an exception, and therefore, do not check the return value. This oversight renders the smc_require_auth_signed configuration option ineffective, allowing attackers to forge SAML AuthnRequests and LogoutRequests. An attacker can exploit this vulnerability to obtain sensitive user information or cause denial of service by terminating user sessions. This affects Admidio versions 5.0.8 and earlier and requires SAML SSO to be enabled.

Attack Chain

An attacker crafts a malicious SAML AuthnRequest or LogoutRequest without a valid signature, impersonating a legitimate Service Provider (SP).
The attacker sends the forged SAML request to the Admidio instance via HTTP GET or POST to modules/sso/index.php.
The receiveMessage() function parses the SAML binding directly from the HTTP request, requiring no prior authentication.
The Entity ID is extracted from the forged request’s Issuer element, and the corresponding client configuration is loaded.
The validateSignature() function is called, but its return value (indicating signature validity) is discarded.
For AuthnRequests, if the targeted user has an active session ($gValidLogin is true), the login form is skipped.
Admidio builds a SAML Response containing the user’s attributes (login, name, email, roles) and sends it to the attacker-controlled AssertionConsumerServiceURL.
For LogoutRequests, the user’s session is immediately terminated in the database, triggering a cascading single logout across all registered SPs.

Impact

Successful exploitation of this vulnerability can lead to several critical impacts. The primary impact is the complete bypass of signature enforcement, negating the security benefits of the smc_require_auth_signed setting. This can lead to the disclosure of sensitive user attributes, including login name, email, and role memberships, to unauthorized parties by forging SSO requests and redirecting them to attacker-controlled endpoints. Furthermore, attackers can terminate any user’s Admidio session by forging SLO requests, potentially causing a denial-of-service condition. This vulnerability affects all Admidio instances with SAML SSO enabled and can potentially impact all users of the system.

Recommendation

Apply the recommended fix in the Admidio codebase to check the return value of validateSignature() and throw an exception on failure, as outlined in the advisory (https://github.com/advisories/GHSA-25cw-98hg-g3cg).
Deploy the Sigma rule “Admidio Forged SAML AuthnRequest Detection” to detect potentially malicious SAML AuthnRequests lacking a valid signature via webserver logs.
Deploy the Sigma rule “Admidio Forged SAML LogoutRequest Detection” to detect potentially malicious SAML LogoutRequests lacking a valid signature via webserver logs.
Monitor webserver logs for requests to /adm_program/modules/sso/index.php/saml/sso and /adm_program/modules/sso/index.php/saml/slo without proper signature validation to detect potential exploitation attempts.
Upgrade to a patched version of Admidio to address CVE-2026-41669.

Sentry SAML SSO Improper Authentication Vulnerability

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

A critical vulnerability (CVE-2026-27197) has been identified in the SAML Single Sign-On (SSO) implementation within Sentry, a popular error tracking and performance monitoring platform. This vulnerability allows a malicious actor to potentially take over user accounts by leveraging a rogue SAML Identity Provider (IdP) in conjunction with another organization configured within the same Sentry instance. The attacker needs to know the victim’s email address for successful exploitation. This flaw primarily impacts self-hosted Sentry deployments with multiple organizations enabled (SENTRY_SINGLE_ORGANIZATION = False) and where a malicious user possesses the ability to modify SSO settings for another organization. Sentry SaaS was patched on February 18, 2026. Self-hosted users should upgrade to version 26.2.0 or later to remediate this vulnerability.

Attack Chain

The attacker gains access to a Sentry instance that hosts multiple organizations. This could be through compromised credentials or other initial access vectors.
The attacker identifies a target user’s email address within the Sentry instance.
The attacker gains permissions to modify SSO settings for an organization within the Sentry instance.
The attacker configures a malicious SAML Identity Provider (IdP) for the organization they control. This IdP is designed to spoof user identities.
The victim attempts to log in to Sentry via SAML SSO.
Sentry redirects the victim to the attacker’s malicious SAML IdP for authentication.
The attacker’s malicious SAML IdP asserts the victim’s identity (using the known email address) to Sentry, but the assertion is illegitimate and controlled by the attacker.
Sentry, due to the vulnerability, improperly validates the SAML assertion, allowing the attacker to successfully authenticate as the victim and gain unauthorized access to their account.

Impact

Successful exploitation of this vulnerability allows an attacker to completely take over a targeted user’s Sentry account. This grants the attacker the ability to access sensitive project data, modify configurations, invite/remove team members, and potentially disrupt the entire Sentry instance’s operations. The vulnerability affects Sentry versions 21.12.0 up to, but not including, 26.2.0. The number of potential victims depends on the number of vulnerable Sentry instances with multiple organizations configured and the attacker’s ability to modify SSO settings.

Recommendation

Upgrade self-hosted Sentry instances to version 26.2.0 or later to patch CVE-2026-27197.
Enable two-factor authentication (2FA) on all Sentry accounts. Users can manage this in Account Settings > Security, as mentioned in the helpdesk article.
Monitor Sentry logs for unusual SSO configuration changes, specifically modifications to SAML Identity Provider settings. Deploy a rule that detects modifications to the SENTRY_SINGLE_ORGANIZATION setting, as this is a prerequisite for exploitation.
Implement the Sigma rule Detect Suspicious SAML Authentication to identify potential unauthorized SAML authentication attempts based on unusual IP addresses or user agents.

OneUptime SAML SSO Authentication Bypass Vulnerability (CVE-2026-34840)

hello@craftedsignal.io — Thu, 02 Apr 2026 20:16:28 +0000

OneUptime, an open-source monitoring and observability platform, is vulnerable to an authentication bypass in versions prior to 10.0.42. The vulnerability, identified as CVE-2026-34840, resides in the SAML Single Sign-On (SSO) implementation within the App/FeatureSet/Identity/Utils/SSO.ts file. The flawed logic involves a decoupling of signature verification and identity extraction processes. Specifically, the isSignatureValid() function checks the signature of the first element, while the getEmail() function extracts the email address from the first assertion element assertion[0]. This design allows an attacker to prepend a malicious, unsigned SAML assertion containing an arbitrary identity before a legitimate, signed assertion. This bypasses authentication, potentially granting unauthorized access to sensitive monitoring data and platform functionalities. The vulnerability has been patched in version 10.0.42.

Attack Chain

Attacker crafts a malicious SAML response containing an unsigned assertion with a forged identity (e.g., a privileged user’s email).
The attacker prepends this malicious assertion to a valid, signed SAML assertion generated for a low-privilege account or a newly created account.
The combined SAML response is sent to the OneUptime platform for authentication.
The isSignatureValid() function verifies the signature of the second assertion (the originally signed, valid one), passing the signature check.
The getEmail() function extracts the email address from the first assertion (the malicious, unsigned one), effectively impersonating the forged identity.
OneUptime grants access based on the forged identity extracted from the malicious assertion.
The attacker gains unauthorized access to the OneUptime platform with the privileges of the impersonated user.
The attacker can then view monitoring data, modify configurations, or perform other actions allowed to the compromised account.

Impact

Successful exploitation of CVE-2026-34840 allows an attacker to bypass authentication and impersonate any user on the OneUptime platform. This could lead to unauthorized access to sensitive monitoring data, modification of system configurations, and potentially complete compromise of the OneUptime instance. The vulnerability has a CVSS v3.1 base score of 8.1, indicating a high severity. Organizations using vulnerable OneUptime versions are at risk of significant data breaches and operational disruption.

Recommendation

Immediately upgrade OneUptime instances to version 10.0.42 or later to patch CVE-2026-34840.
Implement a web application firewall (WAF) rule to inspect SAML responses for multiple assertions and reject requests containing more than one assertion to prevent the attack described in the attack chain.
Monitor web server logs for suspicious SAML authentication requests and responses, focusing on unusual source IPs or deviations from normal authentication patterns related to the webserver log source.

AWS SAML Provider Deletion Activity

hello@craftedsignal.io — Thu, 19 Dec 2024 00:00:00 +0000

The deletion of a SAML provider in AWS can be a significant indicator of malicious activity. An attacker who has gained initial access to an AWS environment may attempt to remove the SAML provider used by the information security team or system administrators. This action can severely impede the team’s ability to investigate and respond to ongoing attacks. By disrupting access, the attacker gains a window of opportunity to further escalate privileges, move laterally within the environment, and achieve their objectives without immediate detection or intervention. This activity directly impacts the availability and integrity of resources within the AWS cloud environment.

Attack Chain

Initial access is gained to an AWS account through compromised credentials or other means (T1078.004).
The attacker enumerates existing IAM resources, including SAML providers, using AWS CLI or API calls.
The attacker identifies the SAML provider used by administrative or security teams.
The attacker executes the DeleteSAMLProvider API call via the AWS CLI, API, or AWS Management Console (T1531).
The DeleteSAMLProvider event is logged in AWS CloudTrail with a “success” status.
Administrative and security teams lose access to AWS resources that require SAML authentication.
The attacker leverages the compromised account to escalate privileges, create new IAM users, or modify existing policies.
The attacker persists in the environment, potentially exfiltrating data or deploying malicious workloads (T1485).

Impact

The deletion of an AWS SAML provider can have serious consequences. It disrupts access for administrators and security personnel, delaying incident response and potentially allowing attackers to further compromise the environment. This can lead to data breaches, service disruptions, and financial losses. The severity of the impact depends on the criticality of the affected AWS resources and the speed of detection and recovery.

Recommendation

Deploy the Sigma rule “AWS SAML Provider Deletion Activity” to your SIEM and tune for your environment to detect this specific event.
Investigate any DeleteSAMLProvider events in AWS CloudTrail, focusing on the user identity, user agent, and source IP address (logsource: aws/cloudtrail).
Implement multi-factor authentication (MFA) for all IAM users, especially those with administrative privileges, to reduce the risk of credential compromise (T1110).
Review and enforce the principle of least privilege for all IAM roles and users to limit the impact of compromised credentials.

Admidio SAML Assertion Consumer Service (ACS) URL Validation Bypass

hello@craftedsignal.io — Mon, 29 Jan 2024 12:00:00 +0000

A vulnerability exists in Admidio’s SAML IdP implementation within the SSO module (versions 5.0.8 and earlier) that allows for bypassing Assertion Consumer Service (ACS) URL validation. The IdP uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response without verifying it against the registered smc_acs_url for the corresponding service provider client. An attacker can exploit this by crafting a SAML AuthnRequest with the Entity ID of a registered SP client and an attacker-controlled AssertionConsumerServiceURL. This causes the IdP to send the signed SAML response, containing sensitive user identity attributes (login name, email, roles, profile fields), to a URL controlled by the attacker. The default configuration does not require signed AuthnRequests, simplifying exploitation to only needing the SP’s Entity ID.

Attack Chain

The attacker identifies the Entity ID of a registered SAML service provider (SP) client within the Admidio IdP. This is often publicly available from the SP’s metadata endpoint.
The attacker crafts a malicious SAML AuthnRequest. The AuthnRequest includes the legitimate SP Entity ID as the Issuer, but sets the AssertionConsumerServiceURL to a URL controlled by the attacker (e.g., https://attacker.test/steal-saml).
The attacker sends the crafted SAML AuthnRequest to Admidio’s SSO endpoint (/modules/sso/index.php/saml/sso) using the HTTP-POST binding, typically by tricking a logged-in user into accessing a webpage containing an auto-submitting form.
Admidio’s SSO module receives the AuthnRequest. If signature validation is not enforced for the SP, the request proceeds without signature verification.
If the user is already authenticated with the Admidio IdP, the IdP generates a signed SAML response containing the user’s identity and attributes. The destination of the SAML response is set to the attacker-controlled AssertionConsumerServiceURL taken directly from the AuthnRequest.
Admidio renders an auto-submitting HTML form in the victim’s browser, which POSTs the signed SAML response to the attacker’s URL (https://attacker.test/steal-saml).
The attacker’s server receives the SAML response, extracting the user’s login name, email, full name, roles, and any other profile fields included in the assertion.
The attacker replays the stolen SAML assertion to the legitimate SP to authenticate as the victim, gaining unauthorized access to the SP application and its resources.

Impact

Successful exploitation of this vulnerability allows an attacker to steal user identities and impersonate victims on legitimate service provider applications. This leads to unauthorized access to user accounts and potential access to sensitive data and resources within those applications. The scope change enables impersonation across separate service provider applications. The vulnerability is exploitable without requiring knowledge of cryptographic keys if smc_require_auth_signed is not enabled, making it easier to exploit. All versions of Admidio up to and including 5.0.8 are affected.

Recommendation

Apply the vendor-supplied patch described in GHSA-p9w9-87c8-m235 by upgrading to a version of Admidio greater than 5.0.8.
As a temporary mitigation, enable smc_require_auth_signed and smc_validate_signatures for all SAML clients to enforce signature validation, mitigating attacks from unauthenticated sources.
Monitor web server logs for POST requests to the Admidio SSO endpoint (/modules/sso/index.php/saml/sso) with suspicious SAMLRequest parameters containing attacker-controlled AssertionConsumerServiceURL values, which can be detected using the “Admidio SAML AuthnRequest ACS URL Override” Sigma rule.
Monitor network traffic for connections to attacker-controlled URLs, such as https://attacker.test/steal-saml, which may indicate successful exploitation and the exfiltration of SAML responses as listed in the IOC table.

Suspicious AWS SAML Activity Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 18:22:30 +0000

This detection identifies potentially malicious Security Assertion Markup Language (SAML) activity within Amazon Web Services (AWS). The activity includes monitoring for AssumeRoleWithSAML and UpdateSAMLProvider events. An adversary might exploit SAML to gain unauthorized access, escalate privileges, move laterally within the AWS environment, or establish persistent backdoor access. The focus is on detecting unusual or unauthorized modifications to SAML configurations and role assumptions, which could indicate a compromised identity provider or malicious actor leveraging SAML for illicit purposes. Defenders should prioritize monitoring SAML-related API calls to identify and mitigate potential threats early in the attack chain.

Attack Chain

The attacker compromises or creates a malicious SAML identity provider.
The attacker configures the AWS environment to trust the malicious SAML provider using UpdateSAMLProvider.
The attacker crafts a SAML assertion to assume a specific role within the AWS environment.
The attacker uses the AssumeRoleWithSAML API call to authenticate with AWS using the crafted SAML assertion.
AWS STS validates the SAML assertion and, if valid, provides temporary credentials for the assumed role.
The attacker uses the temporary credentials to perform actions within AWS, potentially escalating privileges.
The attacker moves laterally within the AWS environment, accessing resources and services authorized for the assumed role.
The attacker establishes persistent access by creating backdoors or modifying existing IAM policies, leveraging the initially gained access.

Impact

Successful exploitation via SAML manipulation can lead to a complete compromise of the AWS environment. Attackers can gain unauthorized access to sensitive data, disrupt critical services, and deploy malicious infrastructure. The impact includes potential data breaches, financial losses, and reputational damage. The number of affected resources depends on the permissions associated with the roles assumed by the attacker.

Recommendation

Deploy the Sigma rule for AssumeRoleWithSAML events to detect suspicious role assumptions (see “AssumeRoleWithSAML Detection Rule”).
Deploy the Sigma rule for UpdateSAMLProvider events to detect unauthorized SAML provider modifications (see “UpdateSAMLProvider Detection Rule”).
Investigate any AssumeRoleWithSAML events originating from unfamiliar user agents or IP addresses by reviewing CloudTrail logs.
Monitor UpdateSAMLProvider events for unexpected changes to SAML provider configurations. Review associated CloudTrail logs for user identity, user agent, and hostname to ensure authorized access.
Tune the provided Sigma rules for your environment, addressing false positives by exempting known, legitimate behavior.