CVE-2026-28809

{"id": "CVE-2026-28809", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-23T11:16:24.343", "references": [{"url": "https://cna.erlef.org/cves/CVE-2026-28809.html", "tags": ["Third Party Advisory", "Patch"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26", "tags": ["Patch"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28809", "tags": ["Third Party Advisory"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\n\nesaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\n\nThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled."}, {"lang": "es", "value": "La vulnerabilidad de Entidad Externa XML (XXE) en esaml (y sus bifurcaciones) permite a un atacante hacer que el sistema lea archivos locales e incorpore su contenido en documentos SAML procesados, y potencialmente realizar SSRF a trav\u00e9s de mensajes SAML manipulados.\n\nesaml analiza mensajes SAML controlados por el atacante utilizando xmerl_scan:string/2 antes de la verificaci\u00f3n de firma sin deshabilitar la expansi\u00f3n de entidades XML. En versiones de Erlang/OTP anteriores a la 27, Xmerl permite entidades por defecto, lo que habilita ataques XXE previos a la firma. Un atacante puede hacer que el host lea archivos locales (por ejemplo, secretos montados en Kubernetes) en el documento SAML. Si el atacante no es un SP SAML de confianza, la verificaci\u00f3n de firma fallar\u00e1 y el documento ser\u00e1 descartado, pero el contenido del archivo a\u00fan puede quedar expuesto a trav\u00e9s de registros o mensajes de error.\n\nEste problema afecta a todas las versiones de esaml, incluyendo las bifurcaciones de arekinath, handnot2 y dropbox. Los usuarios que ejecutan Erlang/OTP 27 o posterior no se ven afectados debido a que Xmerl deshabilita las entidades por defecto."}], "lastModified": "2026-05-22T15:09:31.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "632ECB93-A90B-4407-8BAB-433D2A363B7E", "versionEndIncluding": "1.1"}, {"criteria": "cpe:2.3:a:dropbox:esaml:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0392F7E9-6EBE-49F6-B54D-C8539A6A0F9E"}, {"criteria": "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F58CE0D-4684-452D-8A61-ACC5DB13BE2A", "versionEndIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BA5EFB0-D3E0-4900-A14F-B5E08135224F", "versionEndIncluding": "4.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}