HomeCVE Intelligence › CVE-2026-46490
CVSS 7.5 HIGH Vulnerability

CVE-2026-46490: samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Asser…

Summary samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., ) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and ad…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-46490
Vendornpm
Affected Productsamlify
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., ) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups).

Root Cause src/libsaml.tsreplaceTagsByValue() only escapes placeholders when preceded by a quote (attribute context). Element text is inserted raw. The attribute builder inserts placeholders into element text: `` {attrUserX} ` Therefore, is accepted and signed.

Proof-of-concept - poc/attribute_injection.ts ``TS

im

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-46490 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence