{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/simplesamlphp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SimpleSAMLphp SAML2 (6.0.0-6.2.0)","SimpleSAMLphp SAML2 (5.0.0-5.0.5)","SimpleSAMLphp SAML2 (\u003c4.20.2)","SimpleSAMLphp SAML2-Legacy (\u003c4.20.2)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","saml","authentication-bypass","identity-federation"],"_cs_type":"advisory","_cs_vendors":["SimpleSAMLphp"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP. This flaw, present in versions \u0026lt; 4.20.2, \u0026gt;= 5.0.0 \u0026lt; 5.0.6, and \u0026gt;= 6.0.0 \u0026lt; 6.2.1 of the \u003ccode\u003esaml2\u003c/code\u003e and \u003ccode\u003esaml2-legacy\u003c/code\u003e packages, occurs because the \u003ccode\u003eSOAPClient::validateSSL()\u003c/code\u003e method fails to throw an exception when the TLS public key does not match, causing \u003ccode\u003eSAML2\\Message::validate()\u003c/code\u003e to incorrectly deem an unsigned embedded SAML \u003ccode\u003eResponse\u003c/code\u003e as cryptographically valid. This enables the attacker to forge assertion attributes, NameID, and session data, effectively authenticating as arbitrary users from a high-assurance IdP within a multi-IdP or federation deployment. For defenders, this means a compromised or untrusted IdP within their trust circle could gain unauthorized access to Service Providers, violating trust boundaries and leading to significant data breaches or unauthorized system access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or lower-trust Identity Provider (IdP) crafts an unsigned SAML \u003ccode\u003eResponse\u003c/code\u003e that claims to be issued by a high-trust IdP.\u003c/li\u003e\n\u003cli\u003eThe malicious IdP sends an HTTP-Artifact \u003ccode\u003eResponse\u003c/code\u003e containing this forged \u003ccode\u003eSAML Response\u003c/code\u003e to the Service Provider (SP).\u003c/li\u003e\n\u003cli\u003eThe SP's SimpleSAMLphp installation receives the HTTP-Artifact \u003ccode\u003eResponse\u003c/code\u003e and initiates its \u003ccode\u003eHTTPArtifact::receive()\u003c/code\u003e processing flow.\u003c/li\u003e\n\u003cli\u003eDuring processing of the \u003ccode\u003eArtifactResponse\u003c/code\u003e, the \u003ccode\u003eSOAPClient::addSSLValidator()\u003c/code\u003e mechanism is invoked, providing a TLS-based validator for the outer SOAP message.\u003c/li\u003e\n\u003cli\u003eThe embedded unsigned SAML \u003ccode\u003eResponse\u003c/code\u003e is then passed to \u003ccode\u003eSAML2\\Message::validate()\u003c/code\u003e, which delegates signature validation to the validator provided by the outer \u003ccode\u003eArtifactResponse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSOAPClient::validateSSL()\u003c/code\u003e method, when called to validate the embedded SAML \u003ccode\u003eResponse\u003c/code\u003e, returns normally even though the TLS public key does not match the key for the claimed high-trust IdP.\u003c/li\u003e\n\u003cli\u003eBecause \u003ccode\u003eSOAPClient::validateSSL()\u003c/code\u003e did not throw an exception, \u003ccode\u003eSAML2\\Message::validate()\u003c/code\u003e incorrectly interprets this as successful validation, treating the unsigned embedded SAML \u003ccode\u003eResponse\u003c/code\u003e as cryptographically valid.\u003c/li\u003e\n\u003cli\u003eThe SP then processes this maliciously validated SAML \u003ccode\u003eResponse\u003c/code\u003e using metadata from the claimed high-trust IdP, granting the attacker authentication as arbitrary users from that IdP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows a malicious or lower-trust IdP within the same SP/federation trust set to authenticate to the Service Provider (SP) as arbitrary users from any higher-trust IdP when the HTTP-Artifact binding is in use. Attackers can choose and forge assertion attributes, \u003ccode\u003eNameID\u003c/code\u003e, and session data within the unsigned assertion, gaining unauthorized access as legitimate users. This represents a severe authentication bypass and identity-provider impersonation issue, fundamentally undermining the security boundaries in federated environments where the integrity of different IdPs is critical. If exploited, it could lead to widespread unauthorized access, data exfiltration, or further compromise of systems relying on the affected SimpleSAMLphp instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-49283 by updating SimpleSAMLphp to a non-vulnerable version immediately:\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003ecomposer/simplesamlphp/saml2\u003c/code\u003e: Upgrade to \u003ccode\u003e6.2.1\u003c/code\u003e or later.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecomposer/simplesamlphp/saml2\u003c/code\u003e: Upgrade to \u003ccode\u003e5.0.6\u003c/code\u003e or later for version 5.x branch.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecomposer/simplesamlphp/saml2\u003c/code\u003e or \u003ccode\u003ecomposer/simplesamlphp/saml2-legacy\u003c/code\u003e: Upgrade to \u003ccode\u003e4.20.2\u003c/code\u003e or later for version 4.x branch.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eReview authentication logs for unusual login patterns or failed authentications originating from specific IdPs, especially if using HTTP-Artifact binding.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:27:06Z","date_published":"2026-07-03T11:27:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-auth-bypass/","summary":"A critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP by leveraging a flaw where `SOAPClient::validateSSL()` fails to properly validate TLS public keys for unsigned SAML Responses.","title":"SimpleSAMLphp HTTP-Artifact Authentication Bypass via TLS Validator Confusion (CVE-2026-49283)","url":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["composer/simplesamlphp/saml2 \u003c= 4.20.2","composer/simplesamlphp/saml2-legacy \u003c= 4.20.2"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","saml","php"],"_cs_type":"advisory","_cs_vendors":["SimpleSAMLphp"],"content_html":"\u003cp\u003eSimpleSAMLphp, a widely used open-source PHP application for SAML 2.0 service providers and identity providers, along with its underlying SAML2 library (composer/simplesamlphp/saml2 and composer/simplesamlphp/saml2-legacy), was found to be vulnerable to a Denial-of-Service (DoS) attack, tracked as CVE-2026-49289. The vulnerability, identified on or before July 2, 2026, arises from its handling of XPath transforms within SAML messages. Attackers can craft malicious SAML messages that, when processed by a vulnerable SimpleSAMLphp instance, cause resource exhaustion and lead to service interruption. This impacts any entity relying on these components and necessitates immediate updates to mitigate the risk of service disruption. A mitigation has been implemented in later versions (beyond 4.20.2) to restrict the number of transforms and disallow XPath transforms explicitly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target entity relying on SimpleSAMLphp for SAML processing.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specially designed SAML message incorporating complex or excessive XPath transforms.\u003c/li\u003e\n\u003cli\u003eThe malicious SAML message is sent to the vulnerable SimpleSAMLphp instance, typically via an unauthenticated or authenticated SAML request/response endpoint.\u003c/li\u003e\n\u003cli\u003eThe SimpleSAMLphp application receives and begins parsing the incoming SAML message, including its XPath transforms.\u003c/li\u003e\n\u003cli\u003eDuring the processing of the XPath transforms, the application consumes excessive system resources (CPU, memory).\u003c/li\u003e\n\u003cli\u003eDue to resource exhaustion, the SimpleSAMLphp instance becomes unresponsive or crashes, leading to a Denial-of-Service for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-49289 allows an attacker to render any entity relying on SimpleSAMLphp or the SAML2 library (versions \u0026lt;= 4.20.2) unavailable. This directly impacts the ability of legitimate users to authenticate or access services protected by SimpleSAMLphp, leading to significant operational disruption, reputational damage, and potential financial losses for affected organizations. The vulnerability affects critical authentication infrastructure, making it a high-priority concern for any organization utilizing SimpleSAMLphp.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-49289 by upgrading \u003ccode\u003ecomposer/simplesamlphp/saml2\u003c/code\u003e and \u003ccode\u003ecomposer/simplesamlphp/saml2-legacy\u003c/code\u003e to versions greater than 4.20.2 immediately.\u003c/li\u003e\n\u003cli\u003eReview the mitigation details provided in the GHSA-5cjr-mxj5-wmrx advisory for specific implementation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:25:05Z","date_published":"2026-07-03T11:25:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-dos-xpath/","summary":"SimpleSAMLphp and its SAML2 library are vulnerable to CVE-2026-49289, allowing attackers to perform a Denial-of-Service attack by sending specially crafted SAML messages containing XPath transforms, leading to resource exhaustion and service unavailability.","title":"SimpleSAMLphp Vulnerable to Denial-of-Service via Malicious XPath Transform","url":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-dos-xpath/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["simplesamlphp (\u003e= 2.5.0, \u003c= 2.5.1)","simplesamlphp (\u003c= 2.4.6)"],"_cs_severities":["high"],"_cs_tags":["saml","vulnerability","web-application","authentication-bypass","authorization-bypass"],"_cs_type":"advisory","_cs_vendors":["SimpleSAMLphp"],"content_html":"\u003cp\u003eA vulnerability (CVE-2026-49284) has been identified in SimpleSAMLphp affecting versions up to 2.4.6 and between 2.5.0 and 2.5.1. This flaw stems from the Service Provider (SP) failing to enforce the intended Identity Provider (IdP) during an SP-initiated login, particularly in multi-IdP environments. Specifically, if a saved SP state expects a response from IdP A, but the Assertion Consumer Service (ACS) receives a valid SAML response from a different IdP (IdP B), SimpleSAMLphp logs a warning but proceeds to process the response. This behavior is critical when combined with the SP's handling of unsigned \u003ccode\u003esamlp:Response/@InResponseTo\u003c/code\u003e elements outside of signed assertions, especially if the signed assertion's \u003ccode\u003eSubjectConfirmationData\u003c/code\u003e lacks its own \u003ccode\u003eInResponseTo\u003c/code\u003e. This combination allows an attacker to bind a response from a trusted, but potentially lower-trust, IdP to SP state originally created for a higher-trust IdP, leading to authentication and authorization bypasses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / User Impersonation:\u003c/strong\u003e A legitimate user initiates an SP-initiated SAML login request to a SimpleSAMLphp SP, which expects authentication from a specific high-trust IdP (IdP A).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Intercepts/Manipulates Flow:\u003c/strong\u003e An attacker manipulates the SAML exchange, potentially redirecting the user or crafting a SAML response from a trusted, but lower-assurance, IdP (IdP B) that the SP also trusts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCrafted SAML Response:\u003c/strong\u003e The attacker generates a SAML response from IdP B. This response contains a valid, signed assertion but deliberately omits the \u003ccode\u003eInResponseTo\u003c/code\u003e attribute within \u003ccode\u003eSubjectConfirmationData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnsigned Response-Level \u003ccode\u003eInResponseTo\u003c/code\u003e:\u003c/strong\u003e The attacker also includes an unsigned \u003ccode\u003esamlp:Response/@InResponseTo\u003c/code\u003e attribute in the overall SAML response, which matches the expected value from the SP-initiated request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSimpleSAMLphp Processing Flaw:\u003c/strong\u003e The SimpleSAMLphp SP receives this crafted SAML response. Despite the \u003ccode\u003eExpectedIssuer\u003c/code\u003e in its saved state pointing to IdP A, it processes the response from IdP B because the assertion is validly signed and the \u003ccode\u003eInResponseTo\u003c/code\u003e checks are bypassed by the combination of missing \u003ccode\u003eSubjectConfirmationData/InResponseTo\u003c/code\u003e and unsigned \u003ccode\u003eResponse/InResponseTo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdP Mismatch Ignored:\u003c/strong\u003e The SP issues a warning about the IdP mismatch but continues processing, accepting the authentication from IdP B.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication/Authorization Bypass:\u003c/strong\u003e The user is authenticated by the SP as if they had logged in via IdP A, potentially bypassing intended authorization checks or gaining access with different trust levels than expected.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access / Privilege Escalation:\u003c/strong\u003e If the application's authorization relies on the specific IdP used for login or its associated trust level, the attacker achieves unauthorized access or privilege escalation within the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability significantly impacts deployments where SimpleSAMLphp functions as a Service Provider (SP) and trusts multiple Identity Providers (IdPs) with varying levels of assurance, different tenant boundaries, or distinct attribute namespaces. The primary consequence is an authentication and authorization bypass, enabling a lower-trust IdP to satisfy SP state created for a higher-trust or specific expected IdP. This can subvert security mechanisms designed to route users to particular IdPs, including configurations with \u003ccode\u003eenable_unsolicited\u003c/code\u003e set to \u003ccode\u003efalse\u003c/code\u003e. Attackers could gain unauthorized access or escalate privileges within the application if authorization decisions are tied to the selected IdP or its trust context. The severity of the impact is contingent on the attacker's ability to obtain signed IdP-initiated assertions from a trusted, but less secure, IdP and how application authorization maps user identifiers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SimpleSAMLphp to a patched version immediately to remediate \u003ccode\u003eCVE-2026-49284\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview your SimpleSAMLphp \u003ccode\u003esp-remote\u003c/code\u003e configurations for any multi-IdP deployments that might be affected by \u003ccode\u003eCVE-2026-49284\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:11:00Z","date_published":"2026-07-03T11:11:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-idp-bypass/","summary":"SimpleSAMLphp's Service Provider (SP) does not properly enforce the expected Identity Provider (IdP) for an SP-initiated login when a response from a different IdP is received, allowing an attacker to exploit CVE-2026-49284 in multi-IdP deployments to bypass authentication and authorization controls by substituting a lower-trust IdP's response for a higher-trust one, potentially gaining unauthorized access or elevating privileges if application authorization relies on the specific IdP used.","title":"SimpleSAMLphp SP IdP Bypass Vulnerability (CVE-2026-49284)","url":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-idp-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - SimpleSAMLphp","version":"https://jsonfeed.org/version/1.1"}