CVE-2026-49289
PHP Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-49289 is a Denial-of-Service vulnerability in the SimpleSAMLphp SAML2 library caused by improper handling of XPath transforms in SAML messages. It affects simplesamlphp/saml2 and simplesamlphp/saml2-legacy versions up to and including 4.20.2. The vulnerability was originally published on May 29, 2026 by maintainer tvdijen and added to the GitHub Advisory Database on July 2, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, SAML2 Advisory).

Détails techniques

The root cause is uncontrolled resource consumption (CWE-400) stemming from the library's failure to restrict the number or type of XML transforms permitted in SAML messages. Specifically, the library did not refuse XPath transforms, which can be computationally expensive and are not required by the SAML 2.0 Core Specification. An unauthenticated remote attacker can craft a SAML message containing excessive or XPath-based transforms and submit it to any service provider or identity provider relying on this library, triggering resource exhaustion. The fix restricts transforms to only those algorithms defined in the SAML 2.0 Core Specification and caps the total number of allowed transforms (GitHub Advisory, SAML2 Advisory).

Impact

Successful exploitation results in a Denial-of-Service condition against any entity relying on the affected SimpleSAMLphp SAML2 library, including identity providers and service providers using SimpleSAMLphp. There is no impact on confidentiality or data integrity — the sole consequence is high availability impact, potentially rendering authentication services unavailable to legitimate users. Because SAML endpoints are typically internet-facing, the attack surface is broad and no authentication is required to trigger the condition (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing services using SimpleSAMLphp or the simplesamlphp/saml2 library (versions ≤ 4.20.2) by probing known SAML endpoints (e.g., /simplesaml/saml2/idp/SSO.php or SP assertion consumer service URLs).
  2. Craft malicious SAML message: Construct a SAML AuthnRequest or Response XML document that includes a large number of XML transforms or specifically includes XPath (http://www.w3.org/TR/1999/REC-xpath-19991116) transform references within <ds:Transform> elements of the XML signature.
  3. Submit the crafted message: Send the malicious SAML message to the target's SAML endpoint via HTTP POST or redirect binding, requiring no authentication or prior session.
  4. Trigger resource exhaustion: The server processes the XPath transforms, consuming excessive CPU or memory resources, leading to degraded performance or a complete service outage for the SAML authentication service (GitHub Advisory).

Indicateurs de compromis

  • Network: Repeated HTTP POST requests to SAML endpoints (e.g., /saml2/idp/SSO, assertion consumer service URLs) from single or distributed source IPs with unusually large XML payloads.
  • Logs: Web server or application logs showing high-volume requests to SAML processing endpoints; PHP error logs indicating timeouts or memory exhaustion during XML signature validation.
  • Process: Elevated CPU or memory usage by the PHP process handling SAML requests; process hangs or crashes associated with XML/XPath processing libraries.
  • Application: Authentication service becoming unresponsive or returning 500/503 errors coinciding with spikes in SAML message processing (GitHub Advisory).

Atténuation et solutions de contournement

Upgrade simplesamlphp/saml2 and simplesamlphp/saml2-legacy to version 4.20.3 or later, which restricts XML transforms to only those algorithms permitted by the SAML 2.0 Core Specification and explicitly refuses XPath transforms. No configuration-based workaround is documented; patching is the recommended and only confirmed remediation. Organizations should prioritize this update for any internet-facing SAML identity providers or service providers using the affected library (GitHub Advisory, SAML2 Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PHP Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-49289HIGH7.5
  • PHP logoPHP
  • simplesamlphp/saml2
NonOuiJul 02, 2026
CVE-2026-49284HIGH7.1
  • PHP logoPHP
  • simplesamlphp/simplesamlphp
NonOuiJul 02, 2026
CVE-2026-14355MEDIUM5.6
  • PHP logoPHP
  • php7.4
NonOuiJul 03, 2026
GHSA-j5mc-p8qg-39j7LOW1.3
  • PHP logoPHP
  • kimai/kimai
NonOuiJul 02, 2026
CVE-2026-12184NONEN/A
  • PHP logoPHP
  • php83
NonOuiJul 03, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités