Description

XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages. This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.

INFO

Published Date :

2026-03-23T10:09:29.233Z

Last Modified :

2026-04-07T14:38:07.406Z

Source :

EEF
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28809 vulnerability.

Vendors Products
Arekinath
  • Esaml
Dropbox
  • Esaml
Handnot2
  • Esaml
Jump-app
  • Esaml
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28809.

URL Resource
https://cna.erlef.org/cves/CVE-2026-28809.html cve-icon cve-icon
https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26 cve-icon cve-icon
https://osv.dev/vulnerability/EEF-CVE-2026-28809 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability