CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49284

highCVSS 7.1covered by 1 sourcefirst seen 2026-07-02
Summary SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login. If a saved SP state contains ExpectedIssuer = IdP A, but the ACS receives a valid response from IdP B, the code logs a warning and continues processing instead of rejecting the response. That behavior becomes security-relevant when combined with the response-processing rule that accepts an unsigned samlp:Response/@InResponseTo outside the signed assertion whenever the signed assertion's SubjectConfirmationData does not carry its own InResponseTo. A response issued by one trusted IdP can therefore be bound to SP state created for another IdP. Impact In a multi-IdP deployment, a lower-trust IdP can satisfy SP state created for a different expected IdP. This can bypass an SP flow that intentionally routes the user to a specific IdP, including deployments that set enable_unsolicited to false to prevent IdP-initiated logins. The impact is highest when the SP trusts multiple IdPs with different assurance levels, tenant boundaries, or attribute namespaces, and application authorization depends on the selected/expected IdP. In those deployments this is an authentication/authorization bypass candidate. Impact strongly depends on whether an attacker can obtain a signed IdP-initiated assertion from a lower-trust trusted IdP and whether the downstream application maps identifiers globally.

⚡ Watch CVE-2026-49284

Get an email if CVE-2026-49284 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49284

CVE.org record

Embed the live status

CVE-2026-49284 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49284 status](https://www.csirts.com/badge/CVE-2026-49284)](https://www.csirts.com/cve/CVE-2026-49284)