PatchSiren cyber security CVE debrief
CVE-2026-49284 simplesamlphp CVE debrief
CVE-2026-49284 is an information disclosure vulnerability in SimpleSAMLphp versions before 1.18.6. The vulnerability occurs when the SAML SP ACS path does not enforce the IdP selected for an SP-initiated login when unsigned Response/InResponseTo is combined with a signed assertion lacking SubjectConfirmationData/InResponseTo. This issue allows a response issued by one trusted IdP to be bound to SP state created for another IdP, potentially bypassing flows that route users to a specific IdP, including deployments that set enable_unsolicited to false. The vulnerability is fixed in versions 2.4.7 and 2.5.2. Users of SimpleSAMLphp versions before 1.18.6 should be aware of this vulnerability and take steps to mitigate it by updating to a fixed version or applying necessary configurations.
- Vendor
- simplesamlphp
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of SimpleSAMLphp versions before 1.18.6, administrators of affected deployments, and security teams responsible for vulnerability management should be aware of this vulnerability and take steps to mitigate it. This includes updating SimpleSAMLphp to a fixed version, reviewing and updating configurations to ensure proper enforcement of IdP selection, and verifying deployments for potential exposure.
Technical summary
The vulnerability occurs when the SAML SP ACS path does not enforce the IdP selected for an SP-initiated login when unsigned Response/InResponseTo is combined with a signed assertion lacking SubjectConfirmationData/InResponseTo. This allows a response issued by one trusted IdP to be bound to SP state created for another IdP and bypass flows that route users to a specific IdP, including deployments that set enable_unsolicited to false. The issue is fixed in SimpleSAMLphp versions 2.4.7 and 2.5.2. Affected users should update to a fixed version to mitigate the vulnerability.
Defensive priority
High
Recommended defensive actions
- Update SimpleSAMLphp to version 1.18.6 or later
- Review and update SimpleSAMLphp configurations to ensure proper enforcement of IdP selection
- Verify SimpleSAMLphp deployments for potential exposure
- Apply necessary patches or updates to affected systems
- Review monitoring and detection capabilities for exposed assets
- Track exceptions and retest remediated assets
Evidence notes
The CVE record was published on 2026-07-17T20:17:21.830Z and has not been modified since then. The information disclosure vulnerability in SimpleSAMLphp versions before 1.18.6 occurs due to improper enforcement of IdP selection for SP-initiated login. This allows a response issued by one trusted IdP to be bound to SP state created for another IdP, potentially bypassing flows that route users to a specific IdP. Users should verify their deployments and configurations to ensure proper enforcement of IdP selection.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:21.830Z and has not been modified since then.