CVE-2026-46490

Source
https://cve.org/CVERecord?id=CVE-2026-46490
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46490.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46490
Aliases
Downstream
Published
2026-06-08T18:41:40.145Z
Modified
2026-07-08T08:05:17.564530048Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
Details

samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46490.json",
    "cwe_ids": [
        "CWE-91"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/tngan/samlify

Affected ranges

Type
GIT
Repo
https://github.com/tngan/samlify
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:samlify_project:samlify:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.13.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v.*
v.2.4.0
v1.*
v1.0.0
v1.1.0
v1.1.3
v1.1.5
v1.2
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v2.*
v2.0.0
v2.0.0-alpha
v2.0.0-beta
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.0.1
v2.0.1-rc.3
v2.0.2
v2.0.3
v2.0.4
v2.1.0
v2.1.1
v2.10.0
v2.10.1
v2.10.2
v2.11.0
v2.12.0
v2.2.0
v2.3.0
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc4
v2.4.0-rc5
v2.4.0-rc6
v2.4.1
v2.4.2
v2.5.0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.5.1
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.8.0
v2.8.0-rc1
v2.8.1
v2.8.10
v2.8.11
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v2.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46490.json"