SimpleSAMLphp saml2 CVE-2026-49283
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attacker must hold a trusted federation IdP position (PR:H) to send network Artifact responses; impersonation crosses the SP trust boundary (S:C) with high C/I and no availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
SimpleSAMLphp's HTTP-Artifact receive path can treat an unsigned embedded SAML Response as cryptographically valid for the wrong IdP.
In the HTTPArtifact::receive() flow, the SOAP ArtifactResponse receives a TLS-based validator from SOAPClient::addSSLValidator(). The embedded SAML Response then receives a validator that delegates signature validation to that outer ArtifactResponse. Later, the SP validates the embedded Response against metadata selected from the embedded response issuer, not necessarily the artifact issuer.
The critical issue is that SOAPClient::validateSSL() returns normally when the TLS public key does not match the key currently being validated. SAML2\Message::validate() treats any validator call that does not throw an exception as successful. As a result, an ArtifactResponse obtained from one IdP can validate an unsigned embedded SAML Response that claims to be issued by a different IdP.
In a multi-IdP/federation deployment where a malicious or lower-trust IdP can issue an HTTP-Artifact response to an SP, this can allow the attacker to authenticate to the SP as arbitrary users from a higher-trust victim IdP.
Impact
A malicious or lower-trust IdP in the same SP/federation trust set can authenticate to the SP as users from another IdP when HTTP-Artifact is used. The attacker can choose assertion attributes, NameID, and session data in the forged unsigned assertion.
This is an authentication bypass and identity-provider impersonation issue. In realistic federations, the security boundary between IdPs matters: a compromised or low-assurance IdP should not be able to mint identities for a high-assurance IdP.
AnalysisAI
Authentication bypass and IdP impersonation in the SimpleSAMLphp saml2 library (and the saml2-legacy package) lets a malicious or lower-trust identity provider in a shared federation forge assertions for higher-trust IdPs when the HTTP-Artifact binding is used. Because the TLS-based validator applied to the SOAP ArtifactResponse returns normally instead of throwing when its public key does not match the embedded Response, an unsigned embedded SAML Response claiming a different issuer is accepted as valid, allowing an attacker to log into the SP as arbitrary users of a victim IdP. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the SP to accept the SAML HTTP-Artifact binding, (2) a multi-IdP/federation deployment where more than one IdP is trusted by the same SP, and (3) the attacker to control or have compromised an IdP that is a member of that SP's trust set and can return an ArtifactResponse. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N, base 8.7) accurately captures a network-reachable, low-complexity attack with scope change and high confidentiality/integrity impact, but the PR:H metric is central: exploitation is not open to anonymous internet attackers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating a low-assurance IdP that shares an SP with a high-assurance IdP crafts an unsigned SAML Response asserting a victim user's NameID and attributes, then delivers it to the SP through the HTTP-Artifact back-channel. Because the SP's TLS-based validator returns without throwing on the mismatched key, the SP accepts the forged Response as validly issued and logs the attacker in as the victim user. … |
| Remediation | Patch available per vendor advisory: upgrade simplesamlphp/saml2 (and simplesamlphp/saml2-legacy where used) to the fixed release identified in GHSA-6929-8p9f-26jx (https://github.com/simplesamlphp/saml2/security/advisories/GHSA-6929-8p9f-26jx); the exact fixed version is not stated in the available input, so verify it in the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running SimpleSAMLphp saml2 or saml2-legacy, identify which deployments use HTTP-Artifact binding, and brief incident response leadership. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6929-8p9f-26jx