CVE-2026-49284
Received
Received - Intake
Information Disclosure in SimpleSAMLphp
Vulnerability report for CVE-2026-49284, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-17
Last updated on: 2026-07-17
Assigner: GitHub, Inc.
Description
Description
SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. Prior to 2.4.7 and 2.5.2, SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login when unsigned Response/InResponseTo is combined with a signed assertion lacking SubjectConfirmationData/InResponseTo, allowing a response issued by one trusted IdP to be bound to SP state created for another IdP and bypass flows that route users to a specific IdP, including deployments that set enable_unsolicited to false. This issue is fixed in versions 2.4.7 and 2.5.2.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simplesamlphp | simplesamlphp | to 1.18.6 (exc) |
| simplesamlphp | simplesamlphp | to 2.4.7 (exc) |
| simplesamlphp | simplesamlphp | to 2.5.2 (exc) |
| simplesamlphp | simplesamlphp | 2.4.7 |
| simplesamlphp | simplesamlphp | 2.5.2 |
| simplesamlphp | simplesamlphp | to 2.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |