PatchSiren cyber security CVE debrief
CVE-2026-46490 tngan CVE debrief
CVE-2026-46490 is a HIGH severity vulnerability in samlify, a Node.js library for SAML single sign-on. The vulnerability allows for privilege escalation when attributes are used for authorization (roles/groups).
- Vendor
- tngan
- Product
- samlify
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of samlify library for SAML single sign-on, especially those using attributes for authorization.
Technical summary
Prior to version 2.13.0, samlify's template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to version 2.13.0 or later of the samlify library.
Evidence notes
The vulnerability has been patched in version 2.13.0.
Official resources
-
CVE-2026-46490 CVE record
CVE.org
-
CVE-2026-46490 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE-2026-46490 was published on [2026-06-08T19:16:45.950Z](https://www.cve.org/CVERecord?id=CVE-2026-46490) and modified on [2026-06-09T16:48:56.767Z](https://nvd.nist.gov/vuln/detail/CVE-2026-46490).