Cyber Resilience

CVE-2026-32313

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0015 4.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32313 is a high-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Xmlseclibs Project Xmlseclibs. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32313 affects xmlseclibs, a PHP library for handling XML Encryption and Signatures, in versions prior to 3.1.5. The vulnerability stems from a lack of validation for the authentication tag length in XML nodes encrypted using AES-128-GCM, AES-192-GCM, or AES-256-GCM. This flaw, classified under CWE-354 (Improper Validation of Integrity Check Value), enables cryptographic weaknesses in GCM mode processing, as rated 8.2 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

A remote attacker with network access requires no privileges or user interaction to exploit this issue. By crafting malformed ciphertexts, they can brute-force the authentication tag due to insufficient length checks, recover the GHASH key, and decrypt the protected XML nodes to access confidential data. Additionally, attackers can forge arbitrary ciphertexts without knowledge of the encryption key, potentially enabling integrity violations in XML-based systems relying on this library for secure processing.

The vulnerability is addressed in xmlseclibs version 3.1.5, which includes a fix via commit 03062be78178cbb5e8f605cd255dc32a14981f92. Security practitioners should upgrade to this release immediately, as detailed in the GitHub security advisory GHSA-4v26-v6cg-g6f9 and the corresponding release notes.

EU & UK References

Vulnerability details

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force…

more

an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 3.1.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Remote unauthenticated network exploitation of XML encryption library directly maps to T1190; resulting decryption of protected nodes enables access to confidential data (T1005); GCM tag forgery enables manipulation of transmitted/encrypted data (T1565.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32600Shared CWE-354
CVE-2026-5479Shared CWE-354
CVE-2026-32105Shared CWE-354
CVE-2026-28402Shared CWE-354
CVE-2026-31839Shared CWE-354
CVE-2023-48795Shared CWE-354
CVE-2026-26275Shared CWE-354
CVE-2026-28498Shared CWE-354
CVE-2026-33026Shared CWE-354
CVE-2026-8597Shared CWE-354

Affected Assets

xmlseclibs project
xmlseclibs
≤ 3.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, prioritization, and timely remediation of flaws like the authentication tag length validation failure in xmlseclibs by patching to version 3.1.5.

detect

Requires vulnerability scanning that identifies deployments of vulnerable xmlseclibs versions affected by CVE-2026-32313.

prevent

Ensures implementation of validated cryptographic protections to mitigate decryption and forgery risks from improper GCM authentication tag handling.

References