CVE-2026-41005
Received Received - Intake
XML Encryption Bypass in Cloud Foundry UAA

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP's public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message. Affected versions: Cloud Foundry UAA (uaa_release) 2.0.0 through 78.13.0. Cloud Foundry CF Deployment all versions through 56.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-41005
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cloud_foundry uaa From 2.0.0 (inc) to 78.13.0 (inc)
cloud_foundry cf_deployment to 56.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Cloud Foundry UAA involves incorrect handling of XML encryption in SAML authentication flows. Specifically, UAA treated encrypted XML content from the Service Provider as a substitute for XML signatures from the Identity Provider, which are meant to verify authenticity. This occurred in two SAML flows: the OAuth 2.0 SAML2 bearer grant and browser SSO when the wantAssertionSigned setting was false.

Because encryption uses the Service Provider's public key, any partyβ€”not just a trusted Identity Providerβ€”can create encrypted messages that UAA will decrypt and accept. Therefore, successful decryption does not prove that the message was issued by a legitimate Identity Provider, allowing unsigned assertions or responses with encrypted content to be accepted improperly.

Impact Analysis

This vulnerability can lead to a serious security risk where an attacker can forge authentication assertions or responses that appear valid to the Cloud Foundry UAA system. Since unsigned but encrypted messages are accepted, an attacker could impersonate a trusted Identity Provider, potentially gaining unauthorized access to protected resources.

The impact includes compromise of confidentiality, integrity, and availability of the system, as indicated by the CVSS score of 9.0 with high impact on confidentiality, integrity, and availability.

Compliance Impact

This vulnerability impacts the authenticity verification of SAML assertions by incorrectly treating XML encryption as a substitute for XML signatures. As a result, unsigned assertions or responses containing encrypted content could be accepted, allowing any party to produce ciphertext that UAA can decrypt. This undermines the trustworthiness of identity assertions.

Such a flaw can lead to unauthorized access or impersonation, which may result in breaches of confidentiality and integrity of sensitive data. Consequently, this vulnerability could negatively affect compliance with standards and regulations like GDPR and HIPAA that require strong authentication and protection of personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41005. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart