CVE-2026-49283 is a high-severity security vulnerability in simplesamlphp/saml2 (composer), affecting versions >= 6.0.0, < 6.2.1. It is fixed in 6.2.1, 5.0.6, 4.20.2.
Summary SimpleSAMLphp's HTTP-Artifact receive path can treat an unsigned embedded SAML Response as cryptographically valid for the wrong IdP. In the HTTPArtifact::receive() flow, the SOAP ArtifactResponse receives a TLS-based validator from SOAPClient::addSSLValidator(). The embedded SAML Response then receives a validator that delegates signature validation to that outer ArtifactResponse. Later, the SP validates the embedded Response against metadata selected from the embedded response issuer, not necessarily the artifact issuer. The critical issue is that SOAPClient::validateSSL() returns normally when the TLS public key does not match the key currently being validated. SAML2\Message::validate() treats any validator call that does not throw an exception as successful. As a result, an ArtifactResponse obtained from one IdP can validate an unsigned embedded SAML Response that claims to be issued by a different IdP. In a multi-IdP/federation deployment where a malicious or lower-trust IdP can issue an HTTP-Artifact response to an SP, this can allow the attacker to authenticate to the SP as arbitrary users from a higher-trust victim IdP. Impact A malicious or lower-trust IdP in the same SP/federation trust set can authenticate to the SP as users from another IdP when HTTP-Artifact is used. The attacker can choose assertion attributes, NameID, and session data in the forged unsigned assertion. This is an authentication bypass and identity-provider impersonation issue. In realistic federations, the security boundary between IdPs matters: a compromised or low-assurance IdP should not be able to mint identities for a high-assurance IdP.
CVE-2026-49283 has a CVSS score of 8.7 (High). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (6.2.1, 5.0.6, 4.20.2). Upgrading removes the vulnerable code path.
composer
simplesamlphp/saml2 (>= 6.0.0, < 6.2.1)simplesamlphp/saml2 (>= 5.0.0, < 5.0.6)simplesamlphp/saml2 (< 4.20.2)simplesamlphp/saml2-legacy (< 4.20.2)simplesamlphp/saml2 → 6.2.1 (composer)simplesamlphp/saml2 → 5.0.6 (composer)simplesamlphp/saml2 → 4.20.2 (composer)simplesamlphp/saml2-legacy → 4.20.2 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-49283 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-49283 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-49283 in your environment →Upgrade the following packages to resolve this vulnerability:
simplesamlphp/saml2 to 6.2.1 or latersimplesamlphp/saml2 to 5.0.6 or latersimplesamlphp/saml2 to 4.20.2 or latersimplesamlphp/saml2-legacy to 4.20.2 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-49283 is a high-severity security vulnerability in simplesamlphp/saml2 (composer), affecting versions >= 6.0.0, < 6.2.1. It is fixed in 6.2.1, 5.0.6, 4.20.2.
CVE-2026-49283 has a CVSS score of 8.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
simplesamlphp/saml2 (composer) (versions >= 6.0.0, < 6.2.1)simplesamlphp/saml2-legacy (composer) (versions < 4.20.2)Yes. CVE-2026-49283 is fixed in 6.2.1, 5.0.6, 4.20.2. Upgrade to this version or later.
Whether CVE-2026-49283 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
simplesamlphp/saml2 to 6.2.1 or latersimplesamlphp/saml2 to 5.0.6 or latersimplesamlphp/saml2 to 4.20.2 or latersimplesamlphp/saml2-legacy to 4.20.2 or later