Description
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.

esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.

This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
Published: 2026-03-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Read and SSRF via malicious SAML
Action: Upgrade Erlang
AI Analysis

Impact

esaml and its forks parse SAML messages with xmerl_scan:string/2 before signature verification, leaving XML entity expansion enabled on Erlang/OTP versions below 27. This allows an attacker to craft a SAML message that includes XML entities that reference local files. When the message is processed, the system reads the specified file and injects its contents into the SAML document. Because signature verification runs later, the document may be discarded yet the read data can appear in logs or error messages, exposing sensitive information. The vulnerability is identified as CWE-611 and has a CVSS score of 6.3.

Affected Systems

All releases of the esaml library and its forks—Jump-App esaml, arekinath esaml, dropbox esaml, handnot2 esaml—are affected. Version information is not limited; every available version before the OTP 27 change is at risk.

Risk and Exploitability

The risk is moderate, with a CVSS score of 6.3 and EPSS score lower than 1 %. The vulnerability is not listed in the CISA KEV catalog, indicating it is not currently known to be exploited in the wild. The likely attack vector involves an attacker sending a specifically crafted SAML message to the target application over the network; the vulnerability can be triggered without authentication depending on the application’s exposure of the SAML endpoint. If the attacker is not a trusted service provider, signature verification will fail but the local file contents may still leak through logs, providing potential information disclosure and further exploitation via SSRF. The workaround of upgrading to Erlang/OTP 27 or later disables entity expansion by default, greatly reducing exploitability.

Generated by OpenCVE AI on April 6, 2026 at 19:32 UTC.

Remediation

Vendor Workaround

Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability without changes to esaml.

OpenCVE Recommended Actions

  • Upgrade Erlang/OTP to version 27 or later
  • Verify that the application no longer processes malicious SAML messages
  • Review logs and error messages for unexpected file read content
  • Apply any available esaml library updates or hotfixes from the vendor after upgrading OTP

Generated by OpenCVE AI on April 6, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4g2h-vm7x-747c esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Jump-app
Jump-app esaml
CPEs cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*
Vendors & Products Jump-app
Jump-app esaml
References

Tue, 24 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages. This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
Title XXE in esaml SAML library allows local file read and potential SSRF
First Time appeared Arekinath
Arekinath esaml
Dropbox
Dropbox esaml
Handnot2
Handnot2 esaml
Weaknesses CWE-611
CPEs cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*
cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*
cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*
Vendors & Products Arekinath
Arekinath esaml
Dropbox
Dropbox esaml
Handnot2
Handnot2 esaml
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Arekinath Esaml
Dropbox Esaml
Handnot2 Esaml
Jump-app Esaml
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-07T14:38:07.406Z

Reserved: 2026-03-03T14:40:00.590Z

Link: CVE-2026-28809

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:18.519Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T11:16:24.343

Modified: 2026-04-06T17:17:09.377

Link: CVE-2026-28809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:59Z

Weaknesses