Skip to main content

Xml Security EUVDEUVD-2026-12099

| CVE-2026-32600 HIGH
Improper Validation of Integrity Check Value (CWE-354)
2026-03-13 GitHub_M GHSA-r353-4845-pr5p
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 21:01 euvd
EUVD-2026-12099
Analysis Generated
Mar 13, 2026 - 21:01 vuln.today
CVE Published
Mar 13, 2026 - 19:58 nvd
HIGH 8.2

DescriptionGitHub Advisory

xml-security is a library that implements XML signatures and encryption. Prior to 2.3.1, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 2.3.1.

AnalysisAI

Critical authentication bypass vulnerability in the simplesamlphp/xml-security library (versions before 2.3.1) that affects XML encryption using AES-GCM modes. Attackers can exploit missing authentication tag validation to brute-force decryption keys, decrypt sensitive XML data, and forge arbitrary ciphertexts without knowing encryption keys. No active exploitation detected (not in KEV), but the high CVSS score (8.2) and network-based attack vector make this a priority for organizations using affected SAML/XML security implementations.

Technical ContextAI

The xml-security library (CPE: cpe:2.3:a:simplesamlphp:xml-security:*:*:*:*:*:*:*:*) implements XML encryption and digital signatures, commonly used in SAML authentication flows. The vulnerability stems from CWE-354 (Improper Validation of Integrity Check Value) where AES-GCM encrypted XML nodes fail to validate the authentication tag length. GCM mode provides authenticated encryption, but without proper tag validation, the cryptographic integrity protection is compromised. This affects all versions prior to 2.3.1 when using aes-128-gcm, aes-192-gcm, or aes-256-gcm encryption algorithms.

RemediationAI

Primary remediation: Upgrade to xml-security version 2.3.1 or later, which includes the fix (commit fdc12449e959c610943f9fd428e95e3832d74c25). The patch adds proper validation of authentication tag length for GCM modes. Workaround: If immediate patching is not possible, consider temporarily switching to non-GCM encryption modes (e.g., AES-CBC) if your implementation allows, though this may have other security implications. Review the vendor advisory at https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-r353-4845-pr5p for detailed guidance.

Share

EUVD-2026-12099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy