PT-2026-55454 · Packagist · Simplesamlphp/Saml2+1

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-49289

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications (and specifically refuse XPath transforms).

Impact

An attacker is able to send specially crafted messages to any entity relying on SimpleSAMLphp (or directly on this SAML2-library) to be able to perform a Denial-of-Service attack.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49289
GHSA-5CJR-MXJ5-WMRX

Affected Products

Simplesamlphp/Saml2
Simplesamlphp/Saml2-Legacy