SimpleSAMLphp SAML2 CVE-2026-49289
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-facing SAML endpoint verifies attacker messages pre-auth with low complexity (AV:N/AC:L/PR:N/UI:N); impact is resource-exhaustion availability only, so C:N/I:N/A:H.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications (and specifically refuse XPath transforms).
Impact
An attacker is able to send specially crafted messages to any entity relying on SimpleSAMLphp (or directly on this SAML2-library) to be able to perform a Denial-of-Service attack.
AnalysisAI
Denial-of-service in the simplesamlphp/saml2 PHP library (and its saml2-legacy variant, used by SimpleSAMLphp) allows unauthenticated remote attackers to exhaust CPU/memory by submitting SAML messages containing malicious XPath transforms in XML Signature elements. The fix restricts the number of transforms and rejects XPath transforms entirely, permitting only the transform algorithms named in the SAML 2.0 Core specification. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target parse and verify an attacker-supplied SAML message whose XML Signature contains XPath transforms and/or an excessive number of transforms - i.e., the target must be running a vulnerable simplesamlphp/saml2 or saml2-legacy version and must accept inbound SAML messages at a network-reachable endpoint (SAML SP/IdP role). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is internally consistent and credible: SAML endpoints are network-facing, verification of inbound messages happens before authentication, and the impact is purely availability (C:N/I:N/A:H), yielding a 7.5 High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scripts repeated POSTs of crafted SAML responses or requests to a victim's internet-exposed SimpleSAMLphp assertion-consumer endpoint, each embedding chained/XPath signature transforms that are expensive to process. Because verification occurs pre-authentication, every message forces the server to burn CPU and memory, and a modest request rate degrades or knocks the SSO service offline. … |
| Remediation | Patch available per vendor advisory: upgrade simplesamlphp/saml2 (and simplesamlphp/saml2-legacy where used) to the patched release identified in GHSA-5cjr-mxj5-wmrx via 'composer update simplesamlphp/saml2', and update SimpleSAMLphp itself so it pulls the fixed library. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all SimpleSAMLphp deployments using saml2 or saml2-legacy library versions; document which authentication endpoints accept SAML assertions from external partners. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5cjr-mxj5-wmrx