Cloud Foundry UAA incorrectly treats XML encryption to the Service Provider as a substitute for XML signatures from the Identity Provider. Unsigned SAML assertions that contain encrypted content are still accepted, meaning any party that can encrypt an assertion with the SP's public key can produce a value that UAA will decrypt and consider authentic. The flaw is a classic XML Encryption to Signature confusion, identified as CWE-347, and it effectively bypasses authentication by exploiting the trust relationship built into the SAML flow.

Affected products include Cloud Foundry UAA versions 2.0.0 through 78.13.0 and Cloud Foundry CF Deployment all versions through 56.1.0. Users deploying older UAA instances or legacy CF stages are vulnerable.

The vulnerability carries a CVSS score of 9, indicating high severity. EPSS data is not available, so the current exploitation probability is unknown but could be significant given the widespread use of SAML in cloud identity scenarios. The issue is not listed in the CISA KEV catalog. Attackers can craft a SAML assertion or response that contains encrypted content and send it to UAA’s token endpoint or browser SSO endpoint when the configuration flag wantAssertionSigned is set to false, leading to an accepted authentication grant without a legitimate signature. This attack requires the ability to target the UAA service, but does not require privileged credentials or a pre‑existing trust relationship with a legitimate Identity Provider.