PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59151 prowler-cloud CVE debrief

CVE-2026-59151 is a critical vulnerability in Prowler, a cloud security platform, that affects its SAML authentication flow. Prior to version 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant should receive the final token. The ACS finish logic in api/src/backend/api/v1/views.py recalculated the tenant from user.email instead of binding token issuance to the validated SAML configuration. This flaw allows an authenticated attacker with a controlled SAML IdP to complete a valid SAML flow for an attacker-controlled domain while asserting an email address from another configured domain. Consequently, a SAMLToken and tenant-scoped JWT could be issued for the wrong tenant, enabling cross-tenant account takeover. This issue is fixed in version 5.30.3.

Vendor
prowler-cloud
Product
prowler
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Security teams and administrators responsible for cloud security platforms, particularly those using Prowler, should be aware of this vulnerability. Given its critical severity and potential for cross-tenant account takeover, immediate attention is advised for environments where Prowler is used.

Technical summary

The vulnerability lies in Prowler's SAML authentication flow, specifically in how it handles the email domain asserted in a SAMLResponse. Normally, SAML authentication involves an identity provider (IdP) asserting the identity of a user to a service provider (SP). In this case, Prowler acts as the SP. The issue arises because Prowler did not properly validate the SAMLResponse against the configured SAML IdP, allowing an attacker to manipulate the email domain. This manipulation could lead to the issuance of authentication tokens for the wrong tenant, enabling an attacker to take over accounts across different tenants.

Defensive priority

High

Recommended defensive actions

  • Immediately upgrade Prowler to version 5.30.3 or later.
  • Review and validate SAML configurations for accuracy and security best practices.
  • Monitor for suspicious activity related to SAML authentication and token issuance.
  • Implement additional logging and monitoring for cross-tenant activities.
  • Consider compensating controls such as multi-factor authentication for sensitive operations.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. GitHub commits and releases related to Prowler version 5.30.3 offer insights into the fix. However, detailed technical analysis and specific attack vectors are not provided in the source material.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:26.780Z and has not been modified since then.