CVE-2026-46490 - Vulnerability Details

Description

samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.

Published: 2026-06-08

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

samify implements SAML single sign‑on for Node.js. Prior to version 2.13.0 the library escaped only attribute contexts during template substitution; the value of an element such as <saml:AttributeValue> was inserted into the signed assertion without escaping. This allows an attacker to inject raw XML into an attribute value that the identity provider signs and the service provider trusts. The injected XML can introduce new <saml:Attribute> elements such as roles or groups, giving the attacker elevated privileges or unauthorized access when those attributes are used for authorization.

Affected Systems

The vulnerability affects the samlify library provided by tngan. Any application using samlify version 2.12.x or earlier and processing SAML assertions that derive attribute values from untrusted input is affected. The issue is resolved in version 2.13.0 and later of samlify.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires that an attacker can influence the content of an attribute value that will be embedded in a SAML assertion, typically by manipulating input passed to samlify. The attacker then obtains a signed assertion containing forged attributes; the service provider accepts these attributes as trusted, resulting in privilege escalation. This exploit is practical in scenarios where SAML assertions are signed by a trusted identity provider and attributes are used for authorization decisions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

tngan

samlify

affected

Version	Status	Constraints
`< 2.13.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade samlify to version 2.13.0 or later so that all SAML component values are properly escaped before signing.
Configure your SAML processing logic to reject any SAML assertion that contains unexpected or malformed <saml:Attribute> elements, especially those originating from user input.
Perform integration testing of the authentication flow to verify that no injected attributes are accepted and that privilege escalation cannot be achieved.

Generated by OpenCVE AI on June 8, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-34r5-q4jw-r36m	samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m

History

Mon, 08 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.
Title		samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
Weaknesses		CWE-91
References		https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-08T18:41:40.145Z

Updated: 2026-06-08T18:41:40.145Z

Reserved: 2026-05-14T18:06:06.811Z

Link: CVE-2026-46490

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-08T19:16:45.950

Modified: 2026-06-08T19:16:45.950

Link: CVE-2026-46490

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T20:45:32Z

Weaknesses

CWE-91

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object