CVE-2026-32600

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32600

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32600.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32600

Aliases

GHSA-r353-4845-pr5p

Published

2026-03-13T19:58:41.692Z

Modified

2026-04-10T05:42:24.543243Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

xml-security is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

Details

xml-security is a library that implements XML signatures and encryption. Prior to versions 2.3.1 and 1.13.9, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 2.3.1 and 1.13.9.

Database specific

{
    "cwe_ids": [
        "CWE-354"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32600.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/simplesamlphp/xml-security

Affected ranges

Type

GIT

Repo

https://github.com/simplesamlphp/xml-security

Events

Introduced

f0fb013f5496daf050bb3cb8266874603e6349ce

Fixed

ded07df15a53ee87a179e8bff79870ffea31e716

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.3.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/simplesamlphp/xml-security

Events

Introduced

Fixed

16a5cf4a107e1b607337ff5af5fb4051fcc23ba0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.13.9"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.10

v0.0.11

v0.0.2

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.3.0

v0.3.2

v0.3.3

v0.4.1

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v1.*

v1.0.0

v1.0.1

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.1.0

v1.1.1

v1.1.2

v1.10.0

v1.11.0

v1.11.1

v1.11.2

v1.12.0

v1.12.1

v1.13.0

v1.13.1

v1.13.2

v1.13.5

v1.13.6

v1.13.7

v1.13.8

v1.2.0

v1.5.0

v1.5.1

v1.6.0

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.6

v1.8.7

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v2.*

v2.0.0

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32600.json"