CVE-2026-49284 in SimpleSAMLphpinfo

Summary

by MITRE • 07/17/2026

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. Prior to 2.4.7 and 2.5.2, SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login when unsigned Response/InResponseTo is combined with a signed assertion lacking SubjectConfirmationData/InResponseTo, allowing a response issued by one trusted IdP to be bound to SP state created for another IdP and bypass flows that route users to a specific IdP, including deployments that set enable_unsolicited to false. This issue is fixed in versions 2.4.7 and 2.5.2.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

SimpleSAMLphp represents a widely deployed open source identity management solution implementing SAML protocols for single sign-on and identity federation across enterprise and academic environments. The information disclosure vulnerability affects versions prior to 1.18.6 and specifically targets the SAML Service Provider assertion consumer service endpoint. This flaw exploits a critical weakness in the authentication flow validation mechanism where the system fails to properly validate the relationship between identity providers and service providers during SP-initiated login scenarios.

The technical implementation of this vulnerability stems from insufficient validation of SAML response objects when processing unsigned responses combined with signed assertions that lack proper SubjectConfirmationData elements. In normal operation, SimpleSAMLphp maintains state information for each IdP session to ensure proper routing and authentication flow control. However, when an unsigned Response contains an InResponseTo field while the signed assertion lacks SubjectConfirmationData/InResponseTo, the system incorrectly accepts the response regardless of which identity provider originally issued it. This creates a condition where an attacker can manipulate session state by substituting responses from one trusted IdP to another, effectively bypassing the intended authentication flow.

The operational impact of this vulnerability extends beyond simple information disclosure to represent a significant authorization bypass that could allow unauthorized access to protected resources. When deployments utilize enable_unsolicited configuration set to false, which is standard practice for security-conscious implementations, the vulnerability enables attackers to circumvent the explicit IdP selection process that should govern user authentication flows. This represents a fundamental breakdown in the SAML protocol's session management and identity provider trust model, potentially allowing adversaries to gain access to systems they would normally be denied access to through proper authentication routing mechanisms.

This vulnerability aligns with CWE-200 (Information Exposure) and CWE-287 (Improper Authentication) categories within the Common Weakness Enumeration framework, demonstrating how improper validation of authentication state can lead to privilege escalation and unauthorized access. The flaw also maps to ATT&CK technique T1566.002 (Phishing: Spearphishing Attachment) as attackers could potentially craft malicious SAML responses to exploit this vulnerability during targeted attacks. Organizations should immediately upgrade to SimpleSAMLphp versions 2.4.7 or 2.5.2, which implement proper validation of the InResponseTo field consistency between unsigned responses and signed assertions. Additionally, security teams should review their current deployments for potential exploitation and consider implementing additional monitoring around SAML response processing and authentication state management within their identity infrastructure.

The fix implemented in versions 2.4.7 and 2.5.2 addresses this issue by enforcing strict validation of the relationship between authentication responses and session state information, ensuring that responses can only be accepted when they properly match the expected IdP and session context. This remediation restores the intended security controls around SP-initiated authentication flows while maintaining compatibility with legitimate SAML protocol implementations across various deployment scenarios.

Responsible

GitHub M

Reservation

05/28/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!