CVE-2026-28809

Source
https://cve.org/CVERecord?id=CVE-2026-28809
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28809.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28809
Aliases
Published
2026-03-23T10:09:29.233Z
Modified
2026-07-08T08:12:26.604764974Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
XXE in esaml SAML library allows local file read and potential SSRF
Details

XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.

esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.

This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "bab85efde7c136911402a881ca55173759467a26"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "bab85efde7c136911402a881ca55173759467a26"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "introduced": "2"
                },
                {
                    "fixed": "27"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28809.json",
    "cna_assigner": "EEF",
    "cwe_ids": [
        "CWE-611"
    ]
}
References

Affected packages

Git / github.com/arekinath/esaml

Affected ranges

Type
GIT
Repo
https://github.com/arekinath/esaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.1"
        }
    ]
}

Affected versions

v0.*
v0.1
v1.*
v1.0
v1.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28809.json"

Git / github.com/handnot2/esaml

Affected ranges

Type
GIT
Repo
https://github.com/handnot2/esaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.0"
        }
    ]
}

Affected versions

2.*
2.0.0
v0.*
v0.1
v1.*
v1.0
v1.1
v2.*
v2.1.0
v3.*
v3.0.0
v3.0.1
v3.1.0
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v3.6.1
v4.*
v4.0.0
v4.1.0
v4.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28809.json"

Git / github.com/jump-app/esaml

Affected ranges

Type
GIT
Repo
https://github.com/jump-app/esaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28809.json"