Information Disclosure Vulnerability in SimpleSAMLphp by SimpleSAML
CVE-2026-49284

7.1HIGH

Key Information:

Vendor
CVE Published:
17 July 2026

What is CVE-2026-49284?

SimpleSAMLphp versions released before 1.18.6 have a vulnerability that allows information disclosure. This flaw arises from the SAML Service Provider (SP) assertion consumer service (ACS) path not correctly enforcing the Identity Provider (IdP) selected for SP-initiated logins. Specifically, when dealing with unsigned responses combined with signed assertions without proper SubjectConfirmationData, a response from one trusted IdP can mistakenly be associated with SP state meant for another IdP. This oversight can lead to unauthorized access and bypass user routing flows, particularly in configurations designed to prevent unsolicited login attempts. Versions 2.4.7 and 2.5.2 have addressed this issue.

Affected Version(s)

simplesamlphp < 2.4.7 < 2.4.7

simplesamlphp >= 2.5.0-rc1, < 2.5.2 < 2.5.0-rc1, 2.5.2

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.