SAML 2.0 Signature Bypass Vulnerability in Cloud Foundry UAA
CVE-2026-22734

8.6HIGH

Key Information:

Vendor: Cloud Foundry
Status: Uua
Vendor: CVE Published:; 16 April 2026

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2026-22734?

The Cloud Foundry UAA has a significant vulnerability that permits attackers to exploit the SAML 2.0 bearer assertions mechanism. When SAML 2.0 bearer assertions are enabled for a client, the UAA fails to enforce the requirement for these assertions to be signed or encrypted. This oversight allows malicious actors to forge assertions, subsequently obtaining valid access tokens for any user, thereby compromising UAA-protected systems. Organizations using UAA version 77.30.0 through 78.7.0, as well as CF Deployment versions 48.7.0 through 54.14.0, are particularly at risk and should take prompt action to mitigate this threat.

Affected Version(s)

UUA v77.21.0

References

https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Jan 9, 2026

CVE-2026-22734 Data

JSON