Skip to main content

SimpleSAMLphp saml2 CVE-2026-49283

HIGH
Improper Certificate Validation (CWE-295)
2026-07-02 https://github.com/simplesamlphp/saml2 GHSA-6929-8p9f-26jx
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Attacker must hold a trusted federation IdP position (PR:H) to send network Artifact responses; impersonation crosses the SP trust boundary (S:C) with high C/I and no availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 20:51 vuln.today

DescriptionGitHub Advisory

Summary

SimpleSAMLphp's HTTP-Artifact receive path can treat an unsigned embedded SAML Response as cryptographically valid for the wrong IdP.

In the HTTPArtifact::receive() flow, the SOAP ArtifactResponse receives a TLS-based validator from SOAPClient::addSSLValidator(). The embedded SAML Response then receives a validator that delegates signature validation to that outer ArtifactResponse. Later, the SP validates the embedded Response against metadata selected from the embedded response issuer, not necessarily the artifact issuer.

The critical issue is that SOAPClient::validateSSL() returns normally when the TLS public key does not match the key currently being validated. SAML2\Message::validate() treats any validator call that does not throw an exception as successful. As a result, an ArtifactResponse obtained from one IdP can validate an unsigned embedded SAML Response that claims to be issued by a different IdP.

In a multi-IdP/federation deployment where a malicious or lower-trust IdP can issue an HTTP-Artifact response to an SP, this can allow the attacker to authenticate to the SP as arbitrary users from a higher-trust victim IdP.

Impact

A malicious or lower-trust IdP in the same SP/federation trust set can authenticate to the SP as users from another IdP when HTTP-Artifact is used. The attacker can choose assertion attributes, NameID, and session data in the forged unsigned assertion.

This is an authentication bypass and identity-provider impersonation issue. In realistic federations, the security boundary between IdPs matters: a compromised or low-assurance IdP should not be able to mint identities for a high-assurance IdP.

AnalysisAI

Authentication bypass and IdP impersonation in the SimpleSAMLphp saml2 library (and the saml2-legacy package) lets a malicious or lower-trust identity provider in a shared federation forge assertions for higher-trust IdPs when the HTTP-Artifact binding is used. Because the TLS-based validator applied to the SOAP ArtifactResponse returns normally instead of throwing when its public key does not match the embedded Response, an unsigned embedded SAML Response claiming a different issuer is accepted as valid, allowing an attacker to log into the SP as arbitrary users of a victim IdP. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain trusted or compromised IdP role in federation
Delivery
Craft unsigned SAML Response impersonating victim-IdP user
Exploit
Return it via HTTP-Artifact ArtifactResponse to SP
Execution
TLS validator returns without throwing on key mismatch
Persist
SP accepts forged assertion as valid
Impact
Authenticate to SP as arbitrary victim-IdP user

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the SP to accept the SAML HTTP-Artifact binding, (2) a multi-IdP/federation deployment where more than one IdP is trusted by the same SP, and (3) the attacker to control or have compromised an IdP that is a member of that SP's trust set and can return an ArtifactResponse. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N, base 8.7) accurately captures a network-reachable, low-complexity attack with scope change and high confidentiality/integrity impact, but the PR:H metric is central: exploitation is not open to anonymous internet attackers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a low-assurance IdP that shares an SP with a high-assurance IdP crafts an unsigned SAML Response asserting a victim user's NameID and attributes, then delivers it to the SP through the HTTP-Artifact back-channel. Because the SP's TLS-based validator returns without throwing on the mismatched key, the SP accepts the forged Response as validly issued and logs the attacker in as the victim user. …
Remediation Patch available per vendor advisory: upgrade simplesamlphp/saml2 (and simplesamlphp/saml2-legacy where used) to the fixed release identified in GHSA-6929-8p9f-26jx (https://github.com/simplesamlphp/saml2/security/advisories/GHSA-6929-8p9f-26jx); the exact fixed version is not stated in the available input, so verify it in the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running SimpleSAMLphp saml2 or saml2-legacy, identify which deployments use HTTP-Artifact binding, and brief incident response leadership. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy