CVE-2026-28809

MEDIUM EPSS 19.8%
Published Mar 23, 20263mo ago · Modified Jun 17, 20261w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Mar 23, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages. This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
19.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-611

Affected Products 4

VendorProductVersionRange
arekinathesaml* ≤1.1
dropboxesaml*any
handnot2esaml* ≤4.2.0
jump-appesaml* ≤4.6.0

References 3

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-28809.html
    PatchThird Party Advisory
  • github.com https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26
    Patch
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-28809
    Third Party Advisory

Remediation

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-28809.html
    PatchThird Party Advisory
  • github.com https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26
    Patch