CVE Catalog

CVE-2026-46490

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

15th percentile - higher than 15% of all known CVEs

Summary

The samlify library for Node.js, used for SAML single sign-on, prior to version 2.13.0 improperly handled template substitution, allowing XML markup injection into attribute values. A user could add new <saml:Attribute> elements to the signed assertion, leading to privilege escalation.

Risk Assessment

Organizations may be exposed to unauthorized access and privilege escalation if attributes are used for authorization. Injected attributes could be treated as trusted by the system.

Recommendation

It is recommended to update the samlify library to version 2.13.0 or later to mitigate this vulnerability. Additionally, an audit of existing implementations should be conducted to detect potential abuses.

Original NVD description (English source)

samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS