CVE-2026-49454
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The Relyra library, a SAML 2.0 Service Provider for Elixir and Phoenix, in versions 1.0.0 and 1.1.0 accepted forged SAML signatures due to the lack of cryptographic verification of SignatureValue before returning a successful authentication result. This issue has been fixed in version 1.2.0.
Risk Assessment
Organizations using the vulnerable versions may be exposed to attacks where forged SAML signatures could lead to unauthorized access to resources. This poses a serious threat to the integrity and confidentiality of data.
Recommendation
It is recommended to update the Relyra library to version 1.2.0 or later to protect against the acceptance of forged SAML signatures. Additionally, conducting an audit of existing SAML implementations to identify potential vulnerabilities is advisable.
Original NVD description (English source)
Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. The XMLDSig trust boundary was incomplete as :public_key.verify over the exclusive-C14N canonicalized SignedInfo was not performed against the configured IdP certificate's public key, DigestValue was not recomputed over the canonicalized referenced element, and canonicalize/2 remained an unused passthrough in the signature-verification path. The result was a structure-only acceptance path where document shape and trust-source rejection could succeed without proving the signature bytes. A forged SignatureValue carrying an attacker-controlled NameID could be accepted as {:ok}. This issue has been fixed in version 1.2.0.

