UAA accepts SAML Encrypted Assertions authentication bypass
CVE-2026-41005

9CRITICAL

Key Information:

Vendor: Cloud Foundry
Status: Uaa; Cf Deployment
Vendor: CVE Published:; 11 June 2026

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2026-41005?

Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP's public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message.

Affected versions: Cloud Foundry UAA (uaa_release) 2.0.0 through 78.13.0. Cloud Foundry CF Deployment all versions through 56.1.0.

Affected Version(s)

CF Deployment 0.0.0 < 57.0.0

UAA 2.0.0 < 78.14.0

References

https://www.cloudfoundry.org/blog/cve-2026-41005-uaa-acce...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41005 Data

JSON