GHSA-q8r6-xj3f-wrrm

Suggest an improvement
Source
https://github.com/advisories/GHSA-q8r6-xj3f-wrrm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-q8r6-xj3f-wrrm/GHSA-q8r6-xj3f-wrrm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q8r6-xj3f-wrrm
Aliases
  • CVE-2026-49284
Published
2026-07-02T20:47:21Z
Modified
2026-07-02T21:00:17.057484427Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`
Details

Summary

SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login. If a saved SP state contains ExpectedIssuer = IdP A, but the ACS receives a valid response from IdP B, the code logs a warning and continues processing instead of rejecting the response.

That behavior becomes security-relevant when combined with the response-processing rule that accepts an unsigned samlp:Response/@InResponseTo outside the signed assertion whenever the signed assertion's SubjectConfirmationData does not carry its own InResponseTo. A response issued by one trusted IdP can therefore be bound to SP state created for another IdP.

Impact

In a multi-IdP deployment, a lower-trust IdP can satisfy SP state created for a different expected IdP. This can bypass an SP flow that intentionally routes the user to a specific IdP, including deployments that set enable_unsolicited to false to prevent IdP-initiated logins.

The impact is highest when the SP trusts multiple IdPs with different assurance levels, tenant boundaries, or attribute namespaces, and application authorization depends on the selected/expected IdP. In those deployments this is an authentication/authorization bypass candidate. Impact strongly depends on whether an attacker can obtain a signed IdP-initiated assertion from a lower-trust trusted IdP and whether the downstream application maps identifiers globally.

Database specific
{
    "github_reviewed_at": "2026-07-02T20:47:21Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-345"
    ],
    "severity": "HIGH"
}
References

Affected packages

Packagist / simplesamlphp/simplesamlphp

Package

Name
simplesamlphp/simplesamlphp
Purl
pkg:composer/simplesamlphp%2Fsimplesamlphp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.5.0
Fixed
2.5.2

Affected versions

v2.*
v2.5.0
v2.5.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-q8r6-xj3f-wrrm/GHSA-q8r6-xj3f-wrrm.json"
last_known_affected_version_range
"<= 2.5.1"

Packagist / simplesamlphp/simplesamlphp

Package

Name
simplesamlphp/simplesamlphp
Purl
pkg:composer/simplesamlphp%2Fsimplesamlphp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.7

Affected versions

v1.*
v1.12.0
v1.13.0-rc1
v1.13.0-rc2
v1.13.0
v1.13.1
v1.13.2
v1.14.0-rc1
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.14.9
v1.14.10
v1.14.11
v1.14.12
v1.14.13
v1.14.14
v1.14.15
v1.14.16
v1.14.17
v1.15.0-rc1
v1.15.0-rc2
v1.15.0-rc3
v1.15.0
v1.15.1
v1.15.2
v1.15.3
v1.15.4
v1.17.0-rc1
v1.17.0-rc2
v1.17.0-rc3
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.17.7
v1.17.8
v1.18.0-rc1
v1.18.0-rc2
v1.18.0
v1.18.1
v1.18.2
v1.18.3
v1.18.4
v1.18.5
v1.18.6
v1.18.7
v1.18.8
v1.19.0-rc1
v1.19.0
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.19.6
v1.19.7
1.*
1.16.0-rc1
1.16.0
1.16.1
1.16.2
1.16.3
1.19.8
1.19.9
v2.*
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.11
v2.0.0-beta99
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0
v2.0.1
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
2.*
2.0.2
2.0.3
2.0.4-alpha.1
2.0.4
2.0.5
2.1.0-rc1
2.1.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-q8r6-xj3f-wrrm/GHSA-q8r6-xj3f-wrrm.json"
last_known_affected_version_range
"<= 2.4.6"