Improper Certificate Validation Affecting simplesamlphp/saml2 package, versions <4.20.2>=5.0.0, <5.0.6>=6.0.0, <6.2.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-SIMPLESAMLPHPSAML2-17798867
  • published2 Jul 2026
  • disclosed2 Jul 2026
  • creditUnknown

Introduced: 2 Jul 2026

NewCVE-2026-49283  (opens in a new tab)
CWE-295  (opens in a new tab)

How to fix?

Upgrade simplesamlphp/saml2 to version 4.20.2, 5.0.6, 6.2.1 or higher.

Overview

Affected versions of this package are vulnerable to Improper Certificate Validation in the HTTPArtifact::receive process. An attacker can gain unauthorized access to arbitrary user accounts by crafting a forged unsigned assertion from a malicious or lower-trust identity provider within the same federation. This is only exploitable if a multi-IdP or federation deployment is used and a malicious or lower-trust IdP can issue HTTP-Artifact responses to the service provider.

References

CVSS Base Scores

version 4.0
version 3.1