CVE-2026-32313

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0005 15.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32313 is a high-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Xmlseclibs Project Xmlseclibs. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, prioritization, and timely remediation of flaws like the authentication tag length validation failure in xmlseclibs by patching to version 3.1.5.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning that identifies deployments of vulnerable xmlseclibs versions affected by CVE-2026-32313.

SC-13 Cryptographic Protection partial match

prevent

Ensures implementation of validated cryptographic protections to mitigate decryption and forgery risks from improper GCM authentication tag handling.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1565.002 Transmitted Data Manipulation Impact

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Remote unauthenticated network exploitation of XML encryption library directly maps to T1190; resulting decryption of protected nodes enables access to confidential data (T1005); GCM tag forgery enables manipulation of transmitted/encrypted data (T1565.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force…

an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 3.1.5.

Deeper analysisAI

CVE-2026-32313 affects xmlseclibs, a PHP library for handling XML Encryption and Signatures, in versions prior to 3.1.5. The vulnerability stems from a lack of validation for the authentication tag length in XML nodes encrypted using AES-128-GCM, AES-192-GCM, or AES-256-GCM. This flaw, classified under CWE-354 (Improper Validation of Integrity Check Value), enables cryptographic weaknesses in GCM mode processing, as rated 8.2 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

A remote attacker with network access requires no privileges or user interaction to exploit this issue. By crafting malformed ciphertexts, they can brute-force the authentication tag due to insufficient length checks, recover the GHASH key, and decrypt the protected XML nodes to access confidential data. Additionally, attackers can forge arbitrary ciphertexts without knowledge of the encryption key, potentially enabling integrity violations in XML-based systems relying on this library for secure processing.

The vulnerability is addressed in xmlseclibs version 3.1.5, which includes a fix via commit 03062be78178cbb5e8f605cd255dc32a14981f92. Security practitioners should upgrade to this release immediately, as detailed in the GitHub security advisory GHSA-4v26-v6cg-g6f9 and the corresponding release notes.