EEF-CVE-2026-28809

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-28809.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-28809.json

JSON Data

https://api.test.osv.dev/v1/vulns/EEF-CVE-2026-28809

Aliases

CVE-2026-28809
GHSA-4g2h-vm7x-747c

Published

2026-03-23T10:09:29.233Z

Modified

2026-03-25T20:25:08.926439Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

XXE in esaml SAML library allows local file read and potential SSRF

Details

XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.

esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.

This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.

Database specific

{
    "cwe_ids": [
        "CWE-611"
    ],
    "capec_ids": [
        "CAPEC-201"
    ],
    "cpe_ids": [
        "cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"
    ]
}

References

https://cna.erlef.org/cves/CVE-2026-28809.html

Credits

- Bryan Lynch - FINDER
- Jonatan Männchen / EEF - COORDINATOR

Affected packages

Hex

esaml

Package

Name: esaml
Purl: pkg:hex/esaml

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.1

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.6.1

3.7.0

4.*

4.0.0

4.1.0

4.2.0

4.3.0

4.4.0

4.5.0

4.6.0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-28809.json"

Git

github.com/arekinath/esaml.git

Affected ranges

Type: GIT
Repo: https://github.com/arekinath/esaml.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Affected versions

v0.*

v0.1

v1.*

v1.0

v1.1

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-28809.json"

github.com/handnot2/esaml.git

Affected ranges

Type: GIT
Repo: https://github.com/handnot2/esaml.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Affected versions

2.*

2.0.0

v0.*

v0.1

v1.*

v1.0

v1.1

v2.*

v2.1.0

v3.*

v3.0.0

v3.0.1

v3.1.0

v3.2.0

v3.3.0

v3.4.0

v3.5.0

v3.6.0

v3.6.1

v4.*

v4.0.0

v4.1.0

v4.2.0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-28809.json"

github.com/dropbox/esaml.git

Affected ranges

Type: GIT
Repo: https://github.com/dropbox/esaml.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-28809.json"