CVE-2026-59151
Undergoing Analysis Undergoing Analysis - In Progress

SAML Authentication Bypass in Prowler

Vulnerability report for CVE-2026-59151, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant should receive the final token, and the ACS finish logic in api/src/backend/api/v1/views.py recalculated the tenant from user.email instead of binding token issuance to the validated SAML configuration. An authenticated attacker with a controlled SAML IdP could complete a valid SAML flow for an attacker-controlled domain while asserting an email address from another configured domain, causing a SAMLToken and tenant-scoped JWT to be issued for the wrong tenant and enabling cross-tenant account takeover. This issue is fixed in version 5.30.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
prowler-cloud prowler 5.30.3
prowler-cloud prowler to 5.30.3 (exc)
prowler-cloud prowler 1.31.3
prowler prowler 5.30.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59151 is a critical security vulnerability in the Prowler cloud security platform involving its SAML authentication flow.

Before version 5.30.3, Prowler trusted the email domain asserted in a SAMLResponse to decide which tenant should receive the authentication token. However, the system recalculated the tenant from the user's email rather than binding token issuance strictly to the validated SAML configuration.

This flaw allowed an authenticated attacker controlling a SAML Identity Provider (IdP) to complete a valid SAML flow for an attacker-controlled domain while asserting an email address from another configured domain. As a result, the system issued a token and tenant-scoped JWT for the wrong tenant, enabling cross-tenant account takeover.

The vulnerability was fixed in Prowler version 5.30.3 by enforcing stricter checks that ensure token issuance is bound to the SAML configuration selected during the Assertion Consumer Service (ACS) route, verifying that the organization slug, SAML configuration email domain, and asserted user email domain all match before issuing a token.

Compliance Impact

The vulnerability in Prowler (CVE-2026-59151) allows an attacker to perform a cross-tenant account takeover by exploiting weaknesses in the SAML authentication flow. This unauthorized access could lead to exposure of sensitive cloud security audit findings, compliance data, and integration secrets belonging to other tenants.

Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and tenant isolation to protect personal and health information.

By enabling attackers to gain full read/write access to victim tenants without proper authorization, the vulnerability undermines the confidentiality and integrity requirements mandated by these regulations, potentially leading to compliance violations.

The fix in version 5.30.3 mitigates this risk by enforcing strict domain and tenant validation during SAML authentication, thereby helping maintain compliance with such standards by preventing unauthorized cross-tenant access.

Impact Analysis

This vulnerability can lead to a cross-tenant account takeover, where an attacker gains unauthorized access to another tenant's account within the Prowler platform.

Successful exploitation allows the attacker to obtain a victim's JWT token and switch into their tenant without victim interaction.

Once inside, the attacker gains full read/write access to the victim's cloud security audit findings, compliance data, and integration secrets.

Additionally, the attacker may perform lateral movement into other tenants the victim belongs to, potentially compromising multiple accounts and sensitive data.

Mitigation Strategies

To mitigate the CVE-2026-59151 vulnerability, immediately upgrade Prowler to version 5.30.3 or later, where the issue has been fixed.

  • Ensure that the SAML authentication flow only links accounts when the asserted email domain matches the ACS endpoint's tenant domain.
  • Verify that users are members of the tenant associated with the asserted email domain before allowing login.
  • Reject SAML assertions with mismatched email domains to prevent cross-tenant account takeover.

These steps are implemented in the patched version 5.30.3, which enforces stricter validation of SAML assertions and tenant membership to prevent unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59151. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart