SAML Injection Vulnerability in samlify Library by TNGan
CVE-2026-46490

8.7HIGH

Key Information:

Vendor

Tngan

Status
Vendor
CVE Published:
8 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-46490?

The samlify library, used for SAML single sign-on in Node.js applications, is susceptible to an injection vulnerability prior to version 2.13.0. This issue arises because the library's template substitution mechanism fails to properly escape values inserted into XML element texts, allowing an attacker to inject malicious XML markup into attribute values. Consequently, a normal user can manipulate attributes (e.g., email, name) to embed unauthorized saml:Attribute elements within a signed assertion. When the Identity Provider (IdP) signs this compromised assertion, the Service Provider (SP) may accept these tampered attributes as legitimate. This can lead to privilege escalation dangers whenever these attributes are leveraged for authorization purposes. The vulnerability was addressed and fixed in version 2.13.0.

Affected Version(s)

samlify < 2.13.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.