CVE-2026-49284 in SimpleSAMLphpinformação

Sumário

de MITRE • 17/07/2026

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. Prior to 2.4.7 and 2.5.2, SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login when unsigned Response/InResponseTo is combined with a signed assertion lacking SubjectConfirmationData/InResponseTo, allowing a response issued by one trusted IdP to be bound to SP state created for another IdP and bypass flows that route users to a specific IdP, including deployments that set enable_unsolicited to false. This issue is fixed in versions 2.4.7 and 2.5.2.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsável

GitHub M

Reservar

28/05/2026

Divulgação

17/07/2026

Moderação

aceite

Entrada

VDB-379924

CPE

pronto

EPSS

0.00000

KEV

não

Atividades

muito baixo

Fontes

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!