Back to overview

CVE-2026-49284

HIGH
7.1
CVSS 3.1
Description
SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. Prior to 2.4.7 and 2.5.2, SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login when unsigned Response/InResponseTo is combined with a signed assertion lacking SubjectConfirmationData/InResponseTo, allowing a response issued by one trusted IdP to be bound to SP state created for another IdP and bypass flows that route users to a specific IdP, including deployments that set enable_unsolicited to false. This issue is fixed in versions 2.4.7 and 2.5.2.

Metadata

CVE ID
CVE-2026-49284
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-28 20:07 UTC
Published
2026-07-17 19:17 UTC
Last updated
2026-07-17 19:17 UTC
Primary CWE
CWE-345
CWE-345: Insufficient Verification of Data Authenticity
Vendor / Product
simplesamlphp / simplesamlphp
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
simplesamlphp simplesamlphp < 2.4.7, >= 2.5.0-rc1, < 2.5.2
Weakness (CWE)
CWESourceDescription
CWE-345 cna CWE-345: Insufficient Verification of Data Authenticity
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
References (3)
Back to overview