XML Security Library Vulnerability in SimpleSAMLphp
CVE-2026-32600

8.2HIGH

Key Information:

Vendor

SimplesamlPHP

Status
Xml-security
Vendor
CVE Published:
13 March 2026

What is CVE-2026-32600?

The xml-security library, which is used for implementing XML signatures and encryption, has a vulnerability related to authentication tag length validation. Specifically, versions prior to 2.3.1 mismanage the validation of authentication tags for nodes encrypted using aes-128-gcm, aes-192-gcm, or aes-256-gcm. This allows a malicious actor to employ brute-force techniques on the authentication tag, potentially recovering the GHASH key and decrypting sensitive information. Additionally, the flaw facilitates the forging of arbitrary ciphertexts, enabling attackers to manipulate or alter data without access to the encryption key. Version 2.3.1 addresses this critical flaw, underscoring the importance of updating to maintain data integrity and security.

Affected Version(s)

xml-security >= 2.0.0, < 2.3.1 < 2.0.0, 2.3.1

xml-security < 1.13.9 < 1.13.9

References

https://github.com/simplesamlphp/xml-security/security/ad...
x_refsource_CONFIRM
https://github.com/simplesamlphp/xml-security/commit/cad6...
x_refsource_MISC
https://github.com/simplesamlphp/xml-security/commit/fdc1...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.