Executive Summary

CVE-2026-32313 is a high-severity vulnerability in the xmlseclibs PHP library affecting versions prior to 3.1.5. The issue arises because the library does not properly validate the length of the authentication tag during AES-GCM decryption of XML encrypted nodes. Specifically, the authentication tag is extracted without verifying that it is the expected 16 bytes long.

This flaw allows an attacker to supply a shorter-than-expected authentication tag and brute-force it byte-by-byte. By doing so, the attacker can recover the internal GHASH key used by AES-GCM. With the GHASH key, the attacker can decrypt encrypted XML nodes without knowing the encryption key and also forge arbitrary ciphertexts with valid authentication tags.

The vulnerability exploits the lack of validation on the authentication tag length, enabling unauthorized decryption and ciphertext forgery. It is fixed in version 3.1.5 by enforcing strict authentication tag length validation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized decryption of AES-GCM encrypted XML nodes, allowing attackers to access sensitive information without the encryption key.

Additionally, attackers can forge arbitrary ciphertexts with valid authentication tags, potentially enabling data tampering or injection of malicious data that appears legitimate.

The recovery of the internal GHASH key compromises the cryptographic integrity of the encrypted data, making the encryption ineffective against attackers exploiting this flaw.

In environments where symmetric keys are static rather than ephemeral, the risk is especially critical, necessitating key rotation to mitigate impact.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for XML parsing errors, specifically HTTP 500 errors, that occur during decryption of AES-GCM encrypted XML nodes when the authentication tag is manipulated.

An attacker can brute-force the authentication tag byte-by-byte by modifying the <xenc:CipherValue> node in the XML, base64-decoding it, isolating the nonce and tag, and guessing each byte of the tag. Valid guesses cause XML parsing errors (HTTP 500), which can be used as an oracle to detect the vulnerability.

A practical detection approach involves running a PHP server that processes XML encrypted assertions and using a script like nonce_reuse_with_fmt_val_oracle.py to automate the tag brute-forcing and observe the server responses.

While no specific commands are provided, detection involves analyzing server logs for HTTP 500 errors during XML decryption and potentially using the mentioned proof-of-concept script to test for the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the xmlseclibs library to version 3.1.5 or later, where the vulnerability is fixed by enforcing proper authentication tag length validation during AES-GCM decryption.

The patch added a validation step that throws an exception if the authentication tag length is invalid, preventing processing of malformed or malicious data.

If upgrading immediately is not possible, consider monitoring for suspicious XML parsing errors and avoid using static symmetric keys encrypted with xmlseclibs, as the impact is critical when static keys are used.

Useful 0 Not Useful 0