<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SimpleSAMLphp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/simplesamlphp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:27:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/simplesamlphp/feed.xml" rel="self" type="application/rss+xml"/><item><title>SimpleSAMLphp HTTP-Artifact Authentication Bypass via TLS Validator Confusion (CVE-2026-49283)</title><link>https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-auth-bypass/</link><pubDate>Fri, 03 Jul 2026 11:27:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-auth-bypass/</guid><description>A critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP by leveraging a flaw where `SOAPClient::validateSSL()` fails to properly validate TLS public keys for unsigned SAML Responses.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP. This flaw, present in versions &lt; 4.20.2, &gt;= 5.0.0 &lt; 5.0.6, and &gt;= 6.0.0 &lt; 6.2.1 of the <code>saml2</code> and <code>saml2-legacy</code> packages, occurs because the <code>SOAPClient::validateSSL()</code> method fails to throw an exception when the TLS public key does not match, causing <code>SAML2\Message::validate()</code> to incorrectly deem an unsigned embedded SAML <code>Response</code> as cryptographically valid. This enables the attacker to forge assertion attributes, NameID, and session data, effectively authenticating as arbitrary users from a high-assurance IdP within a multi-IdP or federation deployment. For defenders, this means a compromised or untrusted IdP within their trust circle could gain unauthorized access to Service Providers, violating trust boundaries and leading to significant data breaches or unauthorized system access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A malicious or lower-trust Identity Provider (IdP) crafts an unsigned SAML <code>Response</code> that claims to be issued by a high-trust IdP.</li>
<li>The malicious IdP sends an HTTP-Artifact <code>Response</code> containing this forged <code>SAML Response</code> to the Service Provider (SP).</li>
<li>The SP's SimpleSAMLphp installation receives the HTTP-Artifact <code>Response</code> and initiates its <code>HTTPArtifact::receive()</code> processing flow.</li>
<li>During processing of the <code>ArtifactResponse</code>, the <code>SOAPClient::addSSLValidator()</code> mechanism is invoked, providing a TLS-based validator for the outer SOAP message.</li>
<li>The embedded unsigned SAML <code>Response</code> is then passed to <code>SAML2\Message::validate()</code>, which delegates signature validation to the validator provided by the outer <code>ArtifactResponse</code>.</li>
<li>The <code>SOAPClient::validateSSL()</code> method, when called to validate the embedded SAML <code>Response</code>, returns normally even though the TLS public key does not match the key for the claimed high-trust IdP.</li>
<li>Because <code>SOAPClient::validateSSL()</code> did not throw an exception, <code>SAML2\Message::validate()</code> incorrectly interprets this as successful validation, treating the unsigned embedded SAML <code>Response</code> as cryptographically valid.</li>
<li>The SP then processes this maliciously validated SAML <code>Response</code> using metadata from the claimed high-trust IdP, granting the attacker authentication as arbitrary users from that IdP.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows a malicious or lower-trust IdP within the same SP/federation trust set to authenticate to the Service Provider (SP) as arbitrary users from any higher-trust IdP when the HTTP-Artifact binding is in use. Attackers can choose and forge assertion attributes, <code>NameID</code>, and session data within the unsigned assertion, gaining unauthorized access as legitimate users. This represents a severe authentication bypass and identity-provider impersonation issue, fundamentally undermining the security boundaries in federated environments where the integrity of different IdPs is critical. If exploited, it could lead to widespread unauthorized access, data exfiltration, or further compromise of systems relying on the affected SimpleSAMLphp instances.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-49283 by updating SimpleSAMLphp to a non-vulnerable version immediately:
<ul>
<li><code>composer/simplesamlphp/saml2</code>: Upgrade to <code>6.2.1</code> or later.</li>
<li><code>composer/simplesamlphp/saml2</code>: Upgrade to <code>5.0.6</code> or later for version 5.x branch.</li>
<li><code>composer/simplesamlphp/saml2</code> or <code>composer/simplesamlphp/saml2-legacy</code>: Upgrade to <code>4.20.2</code> or later for version 4.x branch.</li>
</ul>
</li>
<li>Review authentication logs for unusual login patterns or failed authentications originating from specific IdPs, especially if using HTTP-Artifact binding.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>saml</category><category>authentication-bypass</category><category>identity-federation</category></item><item><title>SimpleSAMLphp Vulnerable to Denial-of-Service via Malicious XPath Transform</title><link>https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-dos-xpath/</link><pubDate>Fri, 03 Jul 2026 11:25:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-dos-xpath/</guid><description>SimpleSAMLphp and its SAML2 library are vulnerable to CVE-2026-49289, allowing attackers to perform a Denial-of-Service attack by sending specially crafted SAML messages containing XPath transforms, leading to resource exhaustion and service unavailability.</description><content:encoded><![CDATA[<p>SimpleSAMLphp, a widely used open-source PHP application for SAML 2.0 service providers and identity providers, along with its underlying SAML2 library (composer/simplesamlphp/saml2 and composer/simplesamlphp/saml2-legacy), was found to be vulnerable to a Denial-of-Service (DoS) attack, tracked as CVE-2026-49289. The vulnerability, identified on or before July 2, 2026, arises from its handling of XPath transforms within SAML messages. Attackers can craft malicious SAML messages that, when processed by a vulnerable SimpleSAMLphp instance, cause resource exhaustion and lead to service interruption. This impacts any entity relying on these components and necessitates immediate updates to mitigate the risk of service disruption. A mitigation has been implemented in later versions (beyond 4.20.2) to restrict the number of transforms and disallow XPath transforms explicitly.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a target entity relying on SimpleSAMLphp for SAML processing.</li>
<li>The attacker crafts a specially designed SAML message incorporating complex or excessive XPath transforms.</li>
<li>The malicious SAML message is sent to the vulnerable SimpleSAMLphp instance, typically via an unauthenticated or authenticated SAML request/response endpoint.</li>
<li>The SimpleSAMLphp application receives and begins parsing the incoming SAML message, including its XPath transforms.</li>
<li>During the processing of the XPath transforms, the application consumes excessive system resources (CPU, memory).</li>
<li>Due to resource exhaustion, the SimpleSAMLphp instance becomes unresponsive or crashes, leading to a Denial-of-Service for legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-49289 allows an attacker to render any entity relying on SimpleSAMLphp or the SAML2 library (versions &lt;= 4.20.2) unavailable. This directly impacts the ability of legitimate users to authenticate or access services protected by SimpleSAMLphp, leading to significant operational disruption, reputational damage, and potential financial losses for affected organizations. The vulnerability affects critical authentication infrastructure, making it a high-priority concern for any organization utilizing SimpleSAMLphp.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-49289 by upgrading <code>composer/simplesamlphp/saml2</code> and <code>composer/simplesamlphp/saml2-legacy</code> to versions greater than 4.20.2 immediately.</li>
<li>Review the mitigation details provided in the GHSA-5cjr-mxj5-wmrx advisory for specific implementation guidance.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>saml</category><category>php</category></item><item><title>SimpleSAMLphp SP IdP Bypass Vulnerability (CVE-2026-49284)</title><link>https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-idp-bypass/</link><pubDate>Fri, 03 Jul 2026 11:11:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-idp-bypass/</guid><description>SimpleSAMLphp's Service Provider (SP) does not properly enforce the expected Identity Provider (IdP) for an SP-initiated login when a response from a different IdP is received, allowing an attacker to exploit CVE-2026-49284 in multi-IdP deployments to bypass authentication and authorization controls by substituting a lower-trust IdP's response for a higher-trust one, potentially gaining unauthorized access or elevating privileges if application authorization relies on the specific IdP used.</description><content:encoded><![CDATA[<p>A vulnerability (CVE-2026-49284) has been identified in SimpleSAMLphp affecting versions up to 2.4.6 and between 2.5.0 and 2.5.1. This flaw stems from the Service Provider (SP) failing to enforce the intended Identity Provider (IdP) during an SP-initiated login, particularly in multi-IdP environments. Specifically, if a saved SP state expects a response from IdP A, but the Assertion Consumer Service (ACS) receives a valid SAML response from a different IdP (IdP B), SimpleSAMLphp logs a warning but proceeds to process the response. This behavior is critical when combined with the SP's handling of unsigned <code>samlp:Response/@InResponseTo</code> elements outside of signed assertions, especially if the signed assertion's <code>SubjectConfirmationData</code> lacks its own <code>InResponseTo</code>. This combination allows an attacker to bind a response from a trusted, but potentially lower-trust, IdP to SP state originally created for a higher-trust IdP, leading to authentication and authorization bypasses.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / User Impersonation:</strong> A legitimate user initiates an SP-initiated SAML login request to a SimpleSAMLphp SP, which expects authentication from a specific high-trust IdP (IdP A).</li>
<li><strong>Attacker Intercepts/Manipulates Flow:</strong> An attacker manipulates the SAML exchange, potentially redirecting the user or crafting a SAML response from a trusted, but lower-assurance, IdP (IdP B) that the SP also trusts.</li>
<li><strong>Crafted SAML Response:</strong> The attacker generates a SAML response from IdP B. This response contains a valid, signed assertion but deliberately omits the <code>InResponseTo</code> attribute within <code>SubjectConfirmationData</code>.</li>
<li><strong>Unsigned Response-Level <code>InResponseTo</code>:</strong> The attacker also includes an unsigned <code>samlp:Response/@InResponseTo</code> attribute in the overall SAML response, which matches the expected value from the SP-initiated request.</li>
<li><strong>SimpleSAMLphp Processing Flaw:</strong> The SimpleSAMLphp SP receives this crafted SAML response. Despite the <code>ExpectedIssuer</code> in its saved state pointing to IdP A, it processes the response from IdP B because the assertion is validly signed and the <code>InResponseTo</code> checks are bypassed by the combination of missing <code>SubjectConfirmationData/InResponseTo</code> and unsigned <code>Response/InResponseTo</code>.</li>
<li><strong>IdP Mismatch Ignored:</strong> The SP issues a warning about the IdP mismatch but continues processing, accepting the authentication from IdP B.</li>
<li><strong>Authentication/Authorization Bypass:</strong> The user is authenticated by the SP as if they had logged in via IdP A, potentially bypassing intended authorization checks or gaining access with different trust levels than expected.</li>
<li><strong>Unauthorized Access / Privilege Escalation:</strong> If the application's authorization relies on the specific IdP used for login or its associated trust level, the attacker achieves unauthorized access or privilege escalation within the application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability significantly impacts deployments where SimpleSAMLphp functions as a Service Provider (SP) and trusts multiple Identity Providers (IdPs) with varying levels of assurance, different tenant boundaries, or distinct attribute namespaces. The primary consequence is an authentication and authorization bypass, enabling a lower-trust IdP to satisfy SP state created for a higher-trust or specific expected IdP. This can subvert security mechanisms designed to route users to particular IdPs, including configurations with <code>enable_unsolicited</code> set to <code>false</code>. Attackers could gain unauthorized access or escalate privileges within the application if authorization decisions are tied to the selected IdP or its trust context. The severity of the impact is contingent on the attacker's ability to obtain signed IdP-initiated assertions from a trusted, but less secure, IdP and how application authorization maps user identifiers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade SimpleSAMLphp to a patched version immediately to remediate <code>CVE-2026-49284</code>.</li>
<li>Review your SimpleSAMLphp <code>sp-remote</code> configurations for any multi-IdP deployments that might be affected by <code>CVE-2026-49284</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>saml</category><category>vulnerability</category><category>web-application</category><category>authentication-bypass</category><category>authorization-bypass</category></item></channel></rss>