CVE-2026-28809
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.
esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.
This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Jump-App | esaml | 0 < bab85efde7c136911402a881ca55173759467a26 | affected |
| Jump-App | esaml | bab85efde7c136911402a881ca55173759467a26 | unaffected |
Weaknesses
- CWE-611: CWE-611 Improper Restriction of XML External Entity Reference
Workarounds
Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability without changes to esaml.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://cna.erlef.org/cves/CVE-2026-28809.html
- https://osv.dev/vulnerability/EEF-CVE-2026-28809
- https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.