CVE-2026-49284
Received Received - Intake

Information Disclosure in SimpleSAMLphp

Vulnerability report for CVE-2026-49284, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. Prior to 2.4.7 and 2.5.2, SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login when unsigned Response/InResponseTo is combined with a signed assertion lacking SubjectConfirmationData/InResponseTo, allowing a response issued by one trusted IdP to be bound to SP state created for another IdP and bypass flows that route users to a specific IdP, including deployments that set enable_unsolicited to false. This issue is fixed in versions 2.4.7 and 2.5.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
simplesamlphp simplesamlphp to 1.18.6 (exc)
simplesamlphp simplesamlphp to 2.4.7 (exc)
simplesamlphp simplesamlphp to 2.5.2 (exc)
simplesamlphp simplesamlphp 2.4.7
simplesamlphp simplesamlphp 2.5.2
simplesamlphp simplesamlphp to 2.4.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects SimpleSAMLphp versions before 1.18.6. It allows a response from one trusted Identity Provider (IdP) to be incorrectly bound to a Service Provider (SP) state created for another IdP. This happens when unsigned SAML responses with InResponseTo are combined with signed assertions missing SubjectConfirmationData/InResponseTo. The system may process the response instead of rejecting it, potentially bypassing SP flows that route users to specific IdPs.

Detection Guidance

Check SimpleSAMLphp version with: grep -r '"version"' /path/to/simplesamlphp/lib/SimpleSAML/Version.php. If version is below 2.4.7 or 2.5.2, the system is vulnerable. Review SAML logs for warnings about mismatched IdP responses, such as 'Received response from IdP B but expected IdP A'.

Impact Analysis

The impact includes authentication or authorization bypasses. An attacker could use a signed assertion from a lower-trust IdP to satisfy SP state intended for a different IdP. This is most dangerous in multi-IdP deployments where IdPs have varying trust levels or attribute namespaces. The vulnerability allows unauthorized access if the application relies on the expected IdP for authorization decisions.

Compliance Impact

This vulnerability could lead to unauthorized access or data exposure, which may violate compliance requirements such as GDPR (data protection) or HIPAA (healthcare data privacy). If authentication or authorization is bypassed, sensitive data could be accessed by unauthorized parties, resulting in non-compliance with these regulations.

Mitigation Strategies

Upgrade SimpleSAMLphp to version 2.4.7 or 2.5.2 immediately. Review SAML configuration to ensure enable_unsolicited is set correctly. Monitor IdP response mismatches in logs as a potential sign of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart