CVE-2026-49454
Deferred Deferred - Pending Action

SAML Signature Forgery in Relyra Library

Vulnerability report for CVE-2026-49454, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. The XMLDSig trust boundary was incomplete as :public_key.verify over the exclusive-C14N canonicalized SignedInfo was not performed against the configured IdP certificate's public key, DigestValue was not recomputed over the canonicalized referenced element, and canonicalize/2 remained an unused passthrough in the signature-verification path. The result was a structure-only acceptance path where document shape and trust-source rejection could succeed without proving the signature bytes. A forged SignatureValue carrying an attacker-controlled NameID could be accepted as {:ok}. This issue has been fixed in version 1.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-22
Generated
2026-07-09
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
relyra relyra to 1.2.0 (exc)
relyra relyra 1.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Relyra library versions 1.0.0 and 1.1.0, which is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. The issue is that these versions accept forged SAML signatures because the SignatureValue was not cryptographically verified before returning a successful authentication result.

Specifically, the verification process was incomplete: the library did not perform the necessary cryptographic verification of the SignedInfo against the configured Identity Provider's public key, did not recompute the DigestValue over the referenced element, and left the canonicalization function unused in the signature verification path. This allowed attackers to forge signatures and have them accepted as valid, potentially allowing unauthorized authentication.

The vulnerability was fixed in version 1.2.0 of the library.

Impact Analysis

This vulnerability can have a severe impact because it allows attackers to forge SAML signatures and be accepted as authenticated users without proper verification.

An attacker could impersonate legitimate users by controlling the NameID in the forged signature, potentially gaining unauthorized access to systems or data protected by the vulnerable Relyra library.

The CVSS score of 9.1 indicates a high severity, meaning the vulnerability is easy to exploit remotely without privileges or user interaction, and it can lead to complete compromise of confidentiality and integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Relyra library to version 1.2.0 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart