
PEACH
Un cadre d’isolation des locataires
CVE-2026-49289 is a Denial-of-Service vulnerability in the SimpleSAMLphp SAML2 library caused by improper handling of XPath transforms in SAML messages. It affects simplesamlphp/saml2 and simplesamlphp/saml2-legacy versions up to and including 4.20.2. The vulnerability was originally published on May 29, 2026 by maintainer tvdijen and added to the GitHub Advisory Database on July 2, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, SAML2 Advisory).
The root cause is uncontrolled resource consumption (CWE-400) stemming from the library's failure to restrict the number or type of XML transforms permitted in SAML messages. Specifically, the library did not refuse XPath transforms, which can be computationally expensive and are not required by the SAML 2.0 Core Specification. An unauthenticated remote attacker can craft a SAML message containing excessive or XPath-based transforms and submit it to any service provider or identity provider relying on this library, triggering resource exhaustion. The fix restricts transforms to only those algorithms defined in the SAML 2.0 Core Specification and caps the total number of allowed transforms (GitHub Advisory, SAML2 Advisory).
Successful exploitation results in a Denial-of-Service condition against any entity relying on the affected SimpleSAMLphp SAML2 library, including identity providers and service providers using SimpleSAMLphp. There is no impact on confidentiality or data integrity — the sole consequence is high availability impact, potentially rendering authentication services unavailable to legitimate users. Because SAML endpoints are typically internet-facing, the attack surface is broad and no authentication is required to trigger the condition (GitHub Advisory).
simplesamlphp/saml2 library (versions ≤ 4.20.2) by probing known SAML endpoints (e.g., /simplesaml/saml2/idp/SSO.php or SP assertion consumer service URLs).http://www.w3.org/TR/1999/REC-xpath-19991116) transform references within <ds:Transform> elements of the XML signature./saml2/idp/SSO, assertion consumer service URLs) from single or distributed source IPs with unusually large XML payloads.Upgrade simplesamlphp/saml2 and simplesamlphp/saml2-legacy to version 4.20.3 or later, which restricts XML transforms to only those algorithms permitted by the SAML 2.0 Core Specification and explicitly refuses XPath transforms. No configuration-based workaround is documented; patching is the recommended and only confirmed remediation. Organizations should prioritize this update for any internet-facing SAML identity providers or service providers using the affected library (GitHub Advisory, SAML2 Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."