CVE-2026-28809
XML External Entity (XXE) Vulnerability in esaml Enables Local File Disclosure
Publication date: 2026-03-23
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28809 is an XML External Entity (XXE) vulnerability found in the esaml SAML library and its forks. The vulnerability occurs because esaml parses attacker-controlled SAML messages using the Erlang function xmerl_scan:string/2 before verifying the message signature, without disabling XML entity expansion.
On Erlang/OTP versions before 27, xmerl allows XML entities by default, which enables an attacker to exploit this behavior to read local files on the host system, such as Kubernetes-mounted secrets, and incorporate their contents into the processed SAML documents.
Additionally, crafted SAML messages may allow Server-Side Request Forgery (SSRF). If the attacker is not a trusted SAML Service Provider, signature verification will fail and the malicious document will be discarded, but sensitive file contents may still be exposed through logs or error messages.
This issue affects all versions of esaml and its forks, and users running Erlang/OTP 27 or later are not affected because xmerl disables entity expansion by default in those versions.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to read sensitive local files on your system, such as Kubernetes-mounted secrets, by exploiting the XML entity expansion feature in esaml before signature verification.
Even if the attacker is not trusted and the malicious SAML message is discarded after failing signature verification, the contents of these local files may still be exposed through logs or error messages, potentially leaking sensitive information.
Furthermore, the vulnerability may enable Server-Side Request Forgery (SSRF), which could allow attackers to make unauthorized requests from the vulnerable system.
Overall, this can lead to information disclosure and potentially further exploitation depending on the environment and data exposed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade to Erlang/OTP version 27 or later.
Erlang/OTP 27 disables XML entity expansion by default in xmerl_scan, which prevents the XML External Entity (XXE) vulnerability without requiring changes to the esaml library or its forks.