Skip to main content

SimpleSAMLphp SAML2 CVE-2026-49289

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-07-02 https://github.com/simplesamlphp/saml2 GHSA-5cjr-mxj5-wmrx
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-facing SAML endpoint verifies attacker messages pre-auth with low complexity (AV:N/AC:L/PR:N/UI:N); impact is resource-exhaustion availability only, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 20:51 vuln.today

DescriptionGitHub Advisory

Summary

This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications (and specifically refuse XPath transforms).

Impact

An attacker is able to send specially crafted messages to any entity relying on SimpleSAMLphp (or directly on this SAML2-library) to be able to perform a Denial-of-Service attack.

AnalysisAI

Denial-of-service in the simplesamlphp/saml2 PHP library (and its saml2-legacy variant, used by SimpleSAMLphp) allows unauthenticated remote attackers to exhaust CPU/memory by submitting SAML messages containing malicious XPath transforms in XML Signature elements. The fix restricts the number of transforms and rejects XPath transforms entirely, permitting only the transform algorithms named in the SAML 2.0 Core specification. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate exposed SAML endpoint
Delivery
Craft SAML message with malicious XPath transforms
Exploit
Submit to assertion-consumer/verification endpoint
Execution
Signature verification consumes excessive CPU/memory
Persist
Repeat to sustain resource exhaustion
Impact
Service denial for legitimate SSO users

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target parse and verify an attacker-supplied SAML message whose XML Signature contains XPath transforms and/or an excessive number of transforms - i.e., the target must be running a vulnerable simplesamlphp/saml2 or saml2-legacy version and must accept inbound SAML messages at a network-reachable endpoint (SAML SP/IdP role). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is internally consistent and credible: SAML endpoints are network-facing, verification of inbound messages happens before authentication, and the impact is purely availability (C:N/I:N/A:H), yielding a 7.5 High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scripts repeated POSTs of crafted SAML responses or requests to a victim's internet-exposed SimpleSAMLphp assertion-consumer endpoint, each embedding chained/XPath signature transforms that are expensive to process. Because verification occurs pre-authentication, every message forces the server to burn CPU and memory, and a modest request rate degrades or knocks the SSO service offline. …
Remediation Patch available per vendor advisory: upgrade simplesamlphp/saml2 (and simplesamlphp/saml2-legacy where used) to the patched release identified in GHSA-5cjr-mxj5-wmrx via 'composer update simplesamlphp/saml2', and update SimpleSAMLphp itself so it pulls the fixed library. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all SimpleSAMLphp deployments using saml2 or saml2-legacy library versions; document which authentication endpoints accept SAML assertions from external partners. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy