CVE-2026-46490
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk15th percentile - higher than 15% of all known CVEs
Summary
The samlify library for Node.js, used for SAML single sign-on, prior to version 2.13.0 improperly handled template substitution, allowing XML markup injection into attribute values. A user could add new <saml:Attribute> elements to the signed assertion, leading to privilege escalation.
Risk Assessment
Organizations may be exposed to unauthorized access and privilege escalation if attributes are used for authorization. Injected attributes could be treated as trusted by the system.
Recommendation
It is recommended to update the samlify library to version 2.13.0 or later to mitigate this vulnerability. Additionally, an audit of existing implementations should be conducted to detect potential abuses.
Original NVD description (English source)
samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.

