Description
Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP's public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message.

Affected versions:
Cloud Foundry UAA (uaa_release) 2.0.0 through 78.13.0.
Cloud Foundry CF Deployment all versions through 56.1.0.
Published: 2026-06-11
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cloud Foundry UAA incorrectly treats XML encryption to the Service Provider (SP) as a stand‐in for XML signatures issued by the Identity Provider (IdP). During the OAuth 2.0 SAML2 bearer grant and browser SSO (ACS) flows, when the configuration flag wantAssertionSigned is set to false, UAA accepts assertions or responses that are unsigned but contain encrypted content. Because the encryption uses the SP’s public key from the published metadata, any entity—not just a trusted IdP—can encrypt a payload and submit it to UAA. Successful decryption proves only that the payload was encrypted for UAA, not that it originated from the legitimate IdP, allowing an attacker to craft a SAML assertion and obtain authentication tokens or access as a legitimate user. This flaw is a classic XML Encryption to Signature confusion (CWE‑347).

Affected Systems

Affected products include Cloud Foundry UAA versions 2.0.0 through 78.13.0 and all Cloud Foundry CF Deployment releases up to 56.1.0. Users running these older UAA or CF Deployment versions are vulnerable to an authentication bypass exploit.

Risk and Exploitability

The vulnerability has a CVSS score of 9, indicating high severity. EPSS data is not available, so the exploitation likelihood is uncertain but potentially significant in environments that rely heavily on SAML for authentication. The issue is not listed in the CISA KEV catalog. The attack requires the ability to reach UAA’s token or ACS endpoints, but no privileged credentials or prior trust relationship with a legitimate IdP are needed; an attacker only needs to craft and send a suitably encrypted SAML assertion.

Generated by OpenCVE AI on June 11, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cloud Foundry UAA to the latest release (≥78.13.1) or later to obtain the vendor fix.
  • Upgrade Cloud Foundry CF Deployment to the latest release (≥56.1.1) to ensure all dependent components reflect the UAA patch.
  • Reconfigure the UAA service to set the SAML parameter wantAssertionSigned to true, enforcing that all assertions must be signed and negating the encryption substitution flaw.
  • Configure the UAA service to validate each incoming SAML assertion against trusted IdP certificates and reject any assertion that is unsigned or whose signature cannot be verified.

Generated by OpenCVE AI on June 11, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Cloudfoundry
Cloudfoundry cf-deployment
Cloudfoundry uaa
Vendors & Products Cloudfoundry
Cloudfoundry cf-deployment
Cloudfoundry uaa

Thu, 11 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP's public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message. Affected versions: Cloud Foundry UAA (uaa_release) 2.0.0 through 78.13.0. Cloud Foundry CF Deployment all versions through 56.1.0.
Title UAA accepts SAML Encrypted Assertions authentication bypass
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Cloudfoundry Cf-deployment Uaa
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-13T03:55:30.398Z

Reserved: 2026-04-16T02:19:16.426Z

Link: CVE-2026-41005

cve-icon Vulnrichment

Updated: 2026-06-12T21:25:20.864Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T21:16:21.807

Modified: 2026-06-12T16:06:17.027

Link: CVE-2026-41005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:15:12Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature