Information Disclosure Vulnerability in SimpleSAMLphp by SimpleSAML
CVE-2026-49284
What is CVE-2026-49284?
SimpleSAMLphp versions released before 1.18.6 have a vulnerability that allows information disclosure. This flaw arises from the SAML Service Provider (SP) assertion consumer service (ACS) path not correctly enforcing the Identity Provider (IdP) selected for SP-initiated logins. Specifically, when dealing with unsigned responses combined with signed assertions without proper SubjectConfirmationData, a response from one trusted IdP can mistakenly be associated with SP state meant for another IdP. This oversight can lead to unauthorized access and bypass user routing flows, particularly in configurations designed to prevent unsolicited login attempts. Versions 2.4.7 and 2.5.2 have addressed this issue.
Affected Version(s)
simplesamlphp < 2.4.7 < 2.4.7
simplesamlphp >= 2.5.0-rc1, < 2.5.2 < 2.5.0-rc1, 2.5.2
