CVE-2026-28809: XXE in esaml SAML library allows local file read and potential SSRF
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages. This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-28809?
CVE-2026-28809 is categorized as a high severity vulnerability due to the potential impact of local file reads and SSRF.
How do I fix CVE-2026-28809?
To mitigate CVE-2026-28809, ensure that you upgrade to a patched version of the esaml library and avoid using vulnerable configurations.
Which software is affected by CVE-2026-28809?
CVE-2026-28809 affects the esaml SAML library and versions of Erlang/OTP prior to 27.
What type of attacks can be performed using CVE-2026-28809?
CVE-2026-28809 allows for local file read attacks and potential Server-Side Request Forgery (SSRF) through crafted SAML documents.
Is CVE-2026-28809 a remote or local vulnerability?
CVE-2026-28809 is primarily a local vulnerability that can also lead to remote exploitation via SSRF.