Cyber Resilience

CVE-2026-46490

HighPublic PoCUpdated

Published: 08 June 2026

Published
08 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 30.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-46490 is a high-severity aka Blind XPath Injection (CWE-91) vulnerability in Samlify Project Samlify. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique SAML Tokens (T1606.002); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute…

more

value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
Why these techniques?

XML injection in SAML attribute values allows forging additional claims inside signed assertions, directly enabling SAML token manipulation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

samlify project
samlify
≤ 2.13.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References