EXECUTIVE SUMMARY:
CVE-2026-46490 with a CVSS score of 8.7 is a vulnerability in the npm/samlify package that allows for privilege escalation in Signed SAML Assertions. Affected versions of the package include all versions prior to 2.13.0. The vulnerability arises from samlify's template substitution not escaping attribute contexts, which enables an attacker to inject XML markup into an attribute value and add new saml:Attribute elements inside the signed assertion. An attacker can exploit this vulnerability by submitting a crafted SAML assertion with a specially crafted attribute value, requiring access to the service provider's login page or a similar endpoint that accepts SAML assertions. Successful exploitation allows an attacker to inject arbitrary attributes into the SAML assertion, enabling them to escalate privileges when attributes are used for authorization (roles/groups). This has significant business impact and consequences, including unauthorized access to sensitive data and systems, and potential damage to the organization's reputation. The prerequisite for exploitation is access to the service provider's login page or a similar endpoint that accepts SAML assertions, allowing an attacker to submit a crafted SAML assertion with a specially crafted attribute value.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46490 with a CVSS score of 8.7 is a vulnerability in the npm/samlify package that allows for privilege escalation in Signed SAML Assertions. Affected versions of the package include all versions prior to 2.13.0. The vulnerability arises from samlify's template substitution not escaping attribute contexts, which enables an attacker to inject XML markup into an attribute value and add new saml:Attribute elements inside the signed assertion. An attacker can exploit this vulnerability by submitting a crafted SAML assertion with a specially crafted attribute value, requiring access to the service provider's login page or a similar endpoint that accepts SAML assertions. Successful exploitation allows an attacker to inject arbitrary attributes into the SAML assertion, enabling them to escalate privileges when attributes are used for authorization (roles/groups). This has significant business impact and consequences, including unauthorized access to sensitive data and systems, and potential damage to the organization's reputation. The prerequisite for exploitation is access to the service provider's login page or a similar endpoint that accepts SAML assertions, allowing an attacker to submit a crafted SAML assertion with a specially crafted attribute value.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-34r5-q4jw-r36m