
PEACH
Un cadre d’isolation des locataires
CVE-2026-49284 is an authentication/authorization bypass vulnerability in SimpleSAMLphp affecting its SAML Service Provider (SP) Assertion Consumer Service (ACS) path. The flaw allows a response from an unexpected Identity Provider (IdP) to be accepted when an unsigned samlp:Response/@InResponseTo is combined with a signed assertion that lacks SubjectConfirmationData/InResponseTo. It affects SimpleSAMLphp versions >= 2.5.0 and <= 2.5.1, as well as <= 2.4.6. The vulnerability was originally published on May 29, 2026, and added to the GitHub Advisory Database on July 2, 2026. It carries a CVSS v3.1 base score of 7.1 (High) (GitHub Advisory).
The root cause is classified as CWE-345 (Insufficient Verification of Data Authenticity). SimpleSAMLphp's ACS path fails to enforce that the responding IdP matches the ExpectedIssuer stored in the SP's saved login state — when a mismatch is detected, the code logs a warning but continues processing rather than rejecting the response. This behavior becomes exploitable when combined with a second flaw: the SP accepts an unsigned samlp:Response/@InResponseTo attribute to bind a response to SP state, even when the signed assertion's SubjectConfirmationData does not include its own InResponseTo field. Together, these two weaknesses allow a response issued by one trusted IdP (e.g., a lower-trust IdP B) to be bound to SP state originally created for a different IdP (e.g., higher-trust IdP A), effectively crossing IdP trust boundaries (GitHub Advisory, SimpleSAMLphp Advisory).
The primary impact is authentication and authorization bypass in multi-IdP SimpleSAMLphp deployments. A lower-trust IdP can satisfy SP login state intended for a higher-trust IdP, potentially allowing an attacker to circumvent IdP-specific access controls, tenant boundaries, or assurance-level requirements. This is especially severe when application authorization logic depends on which IdP authenticated the user, as an attacker could gain access to resources or roles intended only for users authenticated by a more trusted IdP. The vulnerability also bypasses the enable_unsolicited = false configuration intended to prevent IdP-initiated logins. Availability is not impacted, but confidentiality (low) and integrity (high) are at risk (GitHub Advisory).
ExpectedIssuer = IdP A and a valid InResponseTo request ID.SubjectConfirmationData/InResponseTo) and wrap it in a samlp:Response that includes the InResponseTo value from the SP state created in step 3 (unsigned at the Response level).Response/@InResponseTo to bind the response to the IdP A SP state.ExpectedIssuer not matching the received Issuer in the SAML response); these warnings appearing without a corresponding authentication failure should be treated as suspicious.InResponseTo values matching active SP state for a different IdP.SimpleSAMLphp has released patched versions 2.5.2 and 2.4.7 that address this vulnerability. Administrators should upgrade immediately to one of these versions. As a compensating control prior to patching, deployments should review whether multiple IdPs with differing trust levels are configured and consider temporarily restricting the SP to a single IdP or enforcing strict issuer validation at the application layer. No specific configuration-only workaround is documented in the advisory (GitHub Advisory, SimpleSAMLphp Advisory).
The vulnerability was reported by security researcher kamil-sawicki and published by SimpleSAMLphp maintainer tvdijen on May 29, 2026. No significant broader media coverage or notable social media commentary has been identified beyond the official GitHub advisory (SimpleSAMLphp Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."