EXECUTIVE SUMMARY:
CVE-2026-49454 with a CVSS score of 9.1 is an authentication bypass vulnerability affecting the Relyra SAML 2.0 Service Provider library for Elixir and Phoenix. The flaw stems from an incomplete XMLDSig trust boundary where the SignatureValue was not cryptographically verified, as the library failed to perform necessary public key verification and DigestValue recomputation against the configured Identity Provider certificate. An attacker can exploit this issue over the network without privileges or user interaction by submitting a forged SAML response containing a manipulated SignatureValue and an attacker-controlled NameID. This allows the attacker to bypass authentication mechanisms completely, as the library incorrectly validates the document structure rather than the cryptographic integrity of the signature. Consequently, any relying-party application utilizing the vulnerable library is at severe risk of unauthorized access, allowing threat actors to impersonate arbitrary users and gain full control of user accounts within the system. Successful exploitation requires that the target application relies on the affected response path of the vulnerable Relyra library to process SAML assertions.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-49454 with a CVSS score of 9.1 is an authentication bypass vulnerability affecting the Relyra SAML 2.0 Service Provider library for Elixir and Phoenix. The flaw stems from an incomplete XMLDSig trust boundary where the SignatureValue was not cryptographically verified, as the library failed to perform necessary public key verification and DigestValue recomputation against the configured Identity Provider certificate. An attacker can exploit this issue over the network without privileges or user interaction by submitting a forged SAML response containing a manipulated SignatureValue and an attacker-controlled NameID. This allows the attacker to bypass authentication mechanisms completely, as the library incorrectly validates the document structure rather than the cryptographic integrity of the signature. Consequently, any relying-party application utilizing the vulnerable library is at severe risk of unauthorized access, allowing threat actors to impersonate arbitrary users and gain full control of user accounts within the system. Successful exploitation requires that the target application relies on the affected response path of the vulnerable Relyra library to process SAML assertions.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]