What is the CVSS score of CVE-2026-41005?

CVE-2026-41005 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Cloud Foundry UAA are affected by CVE-2026-41005?

Cloud Foundry UAA versions 2.0.0 through 78.13.0 contain a critical authentication bypass vulnerability allowing remote attackers to forge SAML assertions and impersonate any user by exploiting XML…. A patch is available.

How to fix or mitigate CVE-2026-41005?

Within 24 hours: Identify and inventory all Cloud Foundry UAA instances running versions 2.0.0-78.13.0; implement immediate network segmentation to restrict SAML assertion traffic to known, trusted Identity Providers only. Within 7 days: Deploy enhanced logging and SIEM alerting for SAML assertion processing and authentication events; implement strict ingress filtering and evaluate temporary disabling of SAML federation. Within 30 days: Establish vendor communication protocol to track patch availability; plan migration strategy to non-vulnerable architecture or UAA versions once patches are released.

Cloud Foundry UAA CVE-2026-41005

EUVD-2026-36311 CRITICAL

Improper Verification of Cryptographic Signature (CWE-347)

2026-06-11 vmware

GHSA-wx8w-j86h-c458

Jwt Attack Denial Of Service Uaa Cf Deployment

9.0

CVSS 3.1 · Vendor: vmware

Severity by source

Vendor (vmware) PRIMARY

9.0 CRITICAL

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

vuln.today AI

8.7 HIGH

Network-reachable SAML endpoint with no auth or user interaction; AC:H because exploitation requires non-default wantAssertionSigned=false config; S:C reflects platform-wide impersonation; A:N - described impact is identity spoofing, not availability.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Jun 11, 2026 - 22:01 EUVD

Analysis Generated

Jun 11, 2026 - 21:29 vuln.today

DescriptionCVE.org

Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP's public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message.

Affected versions: Cloud Foundry UAA (uaa_release) 2.0.0 through 78.13.0. Cloud Foundry CF Deployment all versions through 56.1.0.

AnalysisAI

Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remote attackers to forge SAML assertions and impersonate users by exploiting a logic flaw where XML encryption was accepted as a substitute for XML signature verification. Because the Service Provider's public encryption key is published in SAML metadata, any party - not just a trusted Identity Provider - can craft encrypted-but-unsigned assertions that UAA will decrypt and trust, breaking the identity-assurance guarantee of SAML. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Fetch UAA SAML SP metadata

Delivery

Extract SP encryption public key

Exploit

Forge SAML assertion naming victim user

Install

Encrypt assertion to SP public key, omit IdP signature

Submit to ACS or SAML2 bearer token endpoint

Execute

UAA decrypts and trusts forged identity

Impact

Obtain OAuth token as impersonated admin

Recon

Fetch UAA SAML SP metadata

Delivery

Extract SP encryption public key

Exploit

Forge SAML assertion naming victim user

Install

Encrypt assertion to SP public key, omit IdP signature

Submit to ACS or SAML2 bearer token endpoint

Execute

UAA decrypts and trusts forged identity

Impact

Obtain OAuth token as impersonated admin

Vulnerability AssessmentAI

Exploitation	Target UAA must have at least one SAML IdP provider configuration with wantAssertionSigned set to false (the vulnerable code path explicitly checks this flag), and either the OAuth 2.0 SAML2 bearer grant must be enabled at the token endpoint or the browser SSO ACS endpoint must be reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS:3.1 vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H yields 9.0 (Critical) and is broadly consistent with the description: network-reachable SAML endpoints (AV:N), no authentication or user interaction required (PR:N/UI:N), and a scope change (S:C) reflecting that compromising UAA breaks the trust boundary into every downstream CF-managed resource. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker fetches the target UAA's public SAML SP metadata (typically exposed at /saml/metadata) to obtain the SP encryption certificate, then crafts a SAML Response or Assertion that names a privileged victim user (e.g., a Cloud Foundry admin) in the Subject, encrypts the assertion to the SP's public key, and omits any IdP signature. The attacker POSTs this to the UAA ACS endpoint or exchanges it at the token endpoint via the SAML2 bearer grant, and UAA - finding wantAssertionSigned=false and successfully decrypting the payload - issues an OAuth access token as the impersonated user, granting full platform control. …
Remediation	Upgrade uaa_release beyond 78.13.0 and cf-deployment beyond 56.1.0 to the patched release line per the Cloud Foundry advisory at https://www.cloudfoundry.org/blog/cve-2026-41005-uaa-accepts-saml-encrypted-assertions-authentication-bypass/; the input data does not state an exact fixed version, so consult the advisory for the current minimum safe release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Cloud Foundry UAA instances running versions 2.0.0-78.13.0; implement immediate network segmentation to restrict SAML assertion traffic to known, trusted Identity Providers only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48558 CRITICAL Act Now POC

9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2026-10795 HIGH This Week POC

8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat

CVE-2026-50010 HIGH This Week

7.5 Jun 12

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild

CVE-2026-50634 MEDIUM This Month

6.5 Jun 11

Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-s

CVE-2026-42743 MEDIUM This Month

6.5 Jun 15

Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT si

CVE-2026-41005 vulnerability details – vuln.today

Back

Cloud Foundry UAA CVE-2026-41005

Severity by source

CVSS VectorVendor: vmware

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code