CVE-2026-22734 - Vulnerability Details

- Cloud Foundry UAA SAML 2.0 Signature Bypass

Description

Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive).

Published: 2026-04-16

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Cloud Foundry UAA is vulnerable to a bypass that permits an attacker to obtain a token for any user and gain access to UAA‑protected systems. The flaw exists because, when SAML 2.0 bearer assertions are enabled, the UAA accepts assertions that are neither signed nor encrypted, violating the expected authentication guarantees. The result is full impersonation of any user, elevating the risk to confidentiality and integrity of all protected data.

Affected Systems

The vulnerability affects Cloud Foundry UAA versions from v77.30.0 through v78.7.0, inclusive, and also applies to CF Deployment releases from v48.7.0 to v54.14.0. Systems running any of these releases remain susceptible unless client configurations explicitly disable or enforce signing and encryption of bearer assertions.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. While the EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, the attack vector is inferred to be through crafted SAML 2.0 bearer assertions sent to the UAA over the network, implying remote exploitation without local access. The flaw provides direct token acquisition, enabling unrestricted access to protected APIs and services.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cloud Foundry

UUA

unaffected

Version	Status	Constraints
`v77.21.0`	affected	≤ v78.8.0

No data.

Vendor Product Confidence Versions

Cloudfoundry

Cf-deployment

80%

Version	Status	Scheme	Platform
`[v48.7.0,v54.14.0]`	affected	generic	—

Cloudfoundry

Uaa

91%

Version	Status	Scheme	Platform
`[v77.21.0,v78.8.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Cloud Foundry UAA to a version newer than v78.7.0 or apply the official patch that enforces signing and encryption of all SAML 2.0 bearer assertions.
Configure the UAA to disable SAML 2.0 bearer assertions for any client that does not require them, or enforce strict verification of signature and encryption.
Validate all incoming SAML assertions and reject any that are unsigned or unencrypted; enable assertion consumer service signing validation in the underlying SAML library.
Monitor for abnormal token usage and audit logs to detect unauthorized access attempts.

Generated by OpenCVE AI on April 17, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/

History

Fri, 17 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 17 Apr 2026 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cloudfoundry Cloudfoundry cf-deployment Cloudfoundry uaa
Vendors & Products		Cloudfoundry Cloudfoundry cf-deployment Cloudfoundry uaa

Thu, 16 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive).
Title		Cloud Foundry UAA SAML 2.0 Signature Bypass
Weaknesses		CWE-290
References		https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Cloudfoundry Cf-deployment Uaa

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-04-16T23:33:43.596Z

Updated: 2026-04-17T13:21:04.331Z

Reserved: 2026-01-09T06:54:41.498Z

Link: CVE-2026-22734

Vulnrichment

Updated: 2026-04-17T13:21:00.297Z

NVD

Status : Awaiting Analysis

Published: 2026-04-17T01:17:37.107

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-22734

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T08:01:22Z

Weaknesses

CWE-290

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object