{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sso/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["sentry","Sentry SaaS"],"_cs_severities":["medium"],"_cs_tags":["authentication","saml","sso","account takeover","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Sentry"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-42354, has been identified in the SAML Single Sign-On (SSO) implementation of Sentry, potentially allowing an attacker to compromise user accounts. This vulnerability stems from improper authentication during the SAML SSO process, leading to the possibility of user identity linking. The vulnerability affects Sentry versions 21.12.0 up to and including 26.4.0. To exploit this vulnerability, an attacker requires a malicious SAML Identity Provider and access to another organization within the same Sentry instance, coupled with knowledge of the victim\u0026rsquo;s email address. This attack vector poses a significant risk to self-hosted Sentry instances that are configured with multiple organizations (SENTRY_SINGLE_ORGANIZATION = False), where a malicious user possesses the necessary permissions to modify SSO settings for a different organization. Sentry SaaS has already been patched in April.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Sentry instance that has multiple organizations configured.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains permissions to modify the SAML SSO settings of at least one organization within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SAML Identity Provider (IdP) designed to inject or manipulate user identity attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the malicious SAML IdP to initiate a single sign-on (SSO) process to a Sentry organization they control.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the email address of the targeted victim, linking the victim\u0026rsquo;s identity in the Sentry instance to the malicious SAML IdP.\u003c/li\u003e\n\u003cli\u003eThe victim attempts to log in to their Sentry account through SAML SSO.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, Sentry incorrectly authenticates the victim based on the attributes provided by the attacker\u0026rsquo;s malicious SAML IdP.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully takes over the victim\u0026rsquo;s account, gaining access to sensitive data and functionalities associated with the victim\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete account takeover, resulting in unauthorized access to sensitive project data, configuration settings, and potentially even administrative privileges within the Sentry instance. This poses a substantial risk to organizations using vulnerable Sentry versions, as attackers could exfiltrate sensitive information, modify configurations, or disrupt services. The impact is particularly severe for self-hosted Sentry instances with multiple organizations, where a single compromised account could lead to broader access across the entire platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade self-hosted Sentry instances to version 26.4.1 or higher to patch CVE-2026-42354.\u003c/li\u003e\n\u003cli\u003eEnable user account-based two-factor authentication (2FA) for all Sentry accounts as a preventative measure, as mentioned in the Workarounds section.\u003c/li\u003e\n\u003cli\u003eMonitor Sentry audit logs for any unauthorized changes to SAML SSO configurations, particularly within multi-organization setups, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions for modifying SSO settings across all organizations to minimize the attack surface, as described in the Overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T20:45:20Z","date_published":"2026-04-30T20:45:20Z","id":"/briefs/2026-05-sentry-saml-takeover/","summary":"A critical vulnerability (CVE-2026-42354) exists in Sentry's SAML SSO implementation that allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance, affecting self-hosted users with multiple organizations configured if a malicious user has permissions to modify SSO settings, while Sentry SaaS was patched in April and self-hosted users are advised to upgrade to version 26.4.1 or higher.","title":"Sentry SAML SSO Improper Authentication Allows User Identity Linking","url":"https://feed.craftedsignal.io/briefs/2026-05-sentry-saml-takeover/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-27197"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sentry","saml","sso","authentication","account-takeover"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-27197) has been identified in the SAML Single Sign-On (SSO) implementation within Sentry, a popular error tracking and performance monitoring platform. This vulnerability allows a malicious actor to potentially take over user accounts by leveraging a rogue SAML Identity Provider (IdP) in conjunction with another organization configured within the same Sentry instance. The attacker needs to know the victim\u0026rsquo;s email address for successful exploitation. This flaw primarily impacts self-hosted Sentry deployments with multiple organizations enabled (SENTRY_SINGLE_ORGANIZATION = False) and where a malicious user possesses the ability to modify SSO settings for another organization. Sentry SaaS was patched on February 18, 2026. Self-hosted users should upgrade to version 26.2.0 or later to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Sentry instance that hosts multiple organizations. This could be through compromised credentials or other initial access vectors.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user\u0026rsquo;s email address within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker gains permissions to modify SSO settings for an organization within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a malicious SAML Identity Provider (IdP) for the organization they control. This IdP is designed to spoof user identities.\u003c/li\u003e\n\u003cli\u003eThe victim attempts to log in to Sentry via SAML SSO.\u003c/li\u003e\n\u003cli\u003eSentry redirects the victim to the attacker\u0026rsquo;s malicious SAML IdP for authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious SAML IdP asserts the victim\u0026rsquo;s identity (using the known email address) to Sentry, but the assertion is illegitimate and controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eSentry, due to the vulnerability, improperly validates the SAML assertion, allowing the attacker to successfully authenticate as the victim and gain unauthorized access to their account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely take over a targeted user\u0026rsquo;s Sentry account. This grants the attacker the ability to access sensitive project data, modify configurations, invite/remove team members, and potentially disrupt the entire Sentry instance\u0026rsquo;s operations. The vulnerability affects Sentry versions 21.12.0 up to, but not including, 26.2.0. The number of potential victims depends on the number of vulnerable Sentry instances with multiple organizations configured and the attacker\u0026rsquo;s ability to modify SSO settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade self-hosted Sentry instances to version 26.2.0 or later to patch CVE-2026-27197.\u003c/li\u003e\n\u003cli\u003eEnable two-factor authentication (2FA) on all Sentry accounts. Users can manage this in Account Settings \u0026gt; Security, as mentioned in the \u003ca href=\"https://sentry.zendesk.com/hc/en-us/articles/46773315774235-How-do-I-enable-two-factor-authentication-2FA-on-my-Sentry-account\"\u003ehelpdesk article\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Sentry logs for unusual SSO configuration changes, specifically modifications to SAML Identity Provider settings. Deploy a rule that detects modifications to the \u003ccode\u003eSENTRY_SINGLE_ORGANIZATION\u003c/code\u003e setting, as this is a prerequisite for exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious SAML Authentication\u003c/code\u003e to identify potential unauthorized SAML authentication attempts based on unusual IP addresses or user agents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-sentry-saml-sso-takeover/","summary":"A critical vulnerability in Sentry's SAML SSO implementation allows account takeover by exploiting improper authentication when multiple organizations are configured, affecting versions 21.12.0 to 26.2.0 and requiring a malicious SAML Identity Provider and knowledge of the victim's email address.","title":"Sentry SAML SSO Improper Authentication Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-sentry-saml-sso-takeover/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-20184"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco","webex","sso","certificate-validation","user-impersonation","cve-2026-20184","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-20184, has been identified in the Single Sign-On (SSO) implementation with Control Hub in CISCO Webex versions 39.6 through 45.4. This improper certificate validation issue allows an unauthenticated, remote attacker to bypass security controls and impersonate legitimate users. CISCO Webex is a widely used cloud-based platform for video meetings and collaboration. Successful exploitation could lead to unauthorized access to sensitive information, disruption of services, and a complete compromise of the CIA triad. The vulnerability poses a significant risk to organizations relying on Webex for internal and external communications. Public proof-of-concept or proof-of-exploitation code is not yet available, but the severity and ease of exploitation warrant immediate attention and patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable CISCO Webex instance running a version between 39.6 and 45.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious token designed to exploit the improper certificate validation flaw in the SSO with Control Hub.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to a Webex service endpoint, presenting the crafted token.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Webex instance fails to properly validate the certificate associated with the token.\u003c/li\u003e\n\u003cli\u003eThe attacker is authenticated as a targeted user without providing valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the targeted user\u0026rsquo;s sensitive information, including meeting schedules, contact lists, and potentially recorded meetings.\u003c/li\u003e\n\u003cli\u003eThe attacker joins Webex meetings without authorization, potentially eavesdropping on confidential conversations or disrupting the meeting.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Webex environment by leveraging the compromised user\u0026rsquo;s access rights, potentially gaining administrative control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20184 can lead to severe consequences. Attackers can impersonate any user within the Webex service, gaining unauthorized access to confidential meetings, sensitive data, and internal communications. This can result in a breach of confidentiality, integrity, and availability, potentially leading to significant financial losses, reputational damage, and legal liabilities. The number of affected organizations could be substantial given Webex\u0026rsquo;s widespread use across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all CISCO Webex installations to a version beyond 45.4 to remediate CVE-2026-20184 (Reference: CISCO Security Advisory).\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to unauthorized access attempts within the CISCO Webex environment, as recommended by the CCB (Reference: CCB Advisory).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious authentication patterns indicative of exploitation attempts against Webex (Reference: Sigma rule - \u0026ldquo;Webex Suspicious Authentication Pattern\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable and review Webex access logs for unusual login attempts or access patterns originating from unexpected locations (Reference: Webex access logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T09:19:48Z","date_published":"2026-04-17T09:19:48Z","id":"/briefs/2026-04-cisco-webex-cert-bypass/","summary":"A critical improper certificate validation vulnerability in CISCO Webex versions 39.6 - 45.4 (CVE-2026-20184) allows a remote, unprivileged attacker to impersonate users, gain unauthorized access, and join meetings without authorization, potentially impacting confidentiality, integrity, and availability.","title":"Critical Certificate Validation Vulnerability in CISCO Webex Allows User Impersonation","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-webex-cert-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["medium"],"_cs_tags":["saml","sso","acs-bypass","admidio","cve-2026-41670"],"_cs_type":"advisory","_cs_vendors":["admidio"],"content_html":"\u003cp\u003eA vulnerability exists in Admidio\u0026rsquo;s SAML IdP implementation within the SSO module (versions 5.0.8 and earlier) that allows for bypassing Assertion Consumer Service (ACS) URL validation. The IdP uses the \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e value directly from incoming SAML AuthnRequest messages as the destination for the SAML response without verifying it against the registered \u003ccode\u003esmc_acs_url\u003c/code\u003e for the corresponding service provider client. An attacker can exploit this by crafting a SAML AuthnRequest with the Entity ID of a registered SP client and an attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e. This causes the IdP to send the signed SAML response, containing sensitive user identity attributes (login name, email, roles, profile fields), to a URL controlled by the attacker. The default configuration does not require signed AuthnRequests, simplifying exploitation to only needing the SP\u0026rsquo;s Entity ID.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the Entity ID of a registered SAML service provider (SP) client within the Admidio IdP. This is often publicly available from the SP\u0026rsquo;s metadata endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SAML AuthnRequest. The AuthnRequest includes the legitimate SP Entity ID as the Issuer, but sets the \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e to a URL controlled by the attacker (e.g., \u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SAML AuthnRequest to Admidio\u0026rsquo;s SSO endpoint (\u003ccode\u003e/modules/sso/index.php/saml/sso\u003c/code\u003e) using the HTTP-POST binding, typically by tricking a logged-in user into accessing a webpage containing an auto-submitting form.\u003c/li\u003e\n\u003cli\u003eAdmidio\u0026rsquo;s SSO module receives the AuthnRequest. If signature validation is not enforced for the SP, the request proceeds without signature verification.\u003c/li\u003e\n\u003cli\u003eIf the user is already authenticated with the Admidio IdP, the IdP generates a signed SAML response containing the user\u0026rsquo;s identity and attributes. The destination of the SAML response is set to the attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e taken directly from the AuthnRequest.\u003c/li\u003e\n\u003cli\u003eAdmidio renders an auto-submitting HTML form in the victim\u0026rsquo;s browser, which POSTs the signed SAML response to the attacker\u0026rsquo;s URL (\u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server receives the SAML response, extracting the user\u0026rsquo;s login name, email, full name, roles, and any other profile fields included in the assertion.\u003c/li\u003e\n\u003cli\u003eThe attacker replays the stolen SAML assertion to the legitimate SP to authenticate as the victim, gaining unauthorized access to the SP application and its resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to steal user identities and impersonate victims on legitimate service provider applications. This leads to unauthorized access to user accounts and potential access to sensitive data and resources within those applications. The scope change enables impersonation across separate service provider applications. The vulnerability is exploitable without requiring knowledge of cryptographic keys if \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e is not enabled, making it easier to exploit. All versions of Admidio up to and including 5.0.8 are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch described in GHSA-p9w9-87c8-m235 by upgrading to a version of Admidio greater than 5.0.8.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, enable \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e and \u003ccode\u003esmc_validate_signatures\u003c/code\u003e for all SAML clients to enforce signature validation, mitigating attacks from unauthenticated sources.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the Admidio SSO endpoint (\u003ccode\u003e/modules/sso/index.php/saml/sso\u003c/code\u003e) with suspicious \u003ccode\u003eSAMLRequest\u003c/code\u003e parameters containing attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e values, which can be detected using the \u0026ldquo;Admidio SAML AuthnRequest ACS URL Override\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to attacker-controlled URLs, such as \u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e, which may indicate successful exploitation and the exfiltration of SAML responses as listed in the IOC table.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-admidio-saml-acs-bypass/","summary":"Admidio's SAML IdP implementation in its SSO module is vulnerable to sending SAML responses to unvalidated Assertion Consumer Service URLs, allowing an attacker to craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response, containing user identity attributes, to an attacker-controlled URL, enabling impersonation of the victim user on the legitimate SP by replaying the SAML assertion.","title":"Admidio SAML Assertion Consumer Service (ACS) URL Validation Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-29-admidio-saml-acs-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Sso","version":"https://jsonfeed.org/version/1.1"}