SAML Payloads Decrypted Without Valid Signature_CVE-2026-41694

3.7 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle.

Affected versions:
Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Basic Information

ID CVE-2026-41694

Source vmware

Published Jun 9, 2026 at 23:47

Affected Product

Vendor Spring

Product Spring Security

Version 5.7.0

Affected Versions Spring Spring Security 5.7.0
Spring Spring Security 5.8.0
Spring Spring Security 6.3.0
Spring Spring Security 6.4.0
Spring Spring Security 6.5.0
Spring Spring Security 7.0.0

CWE Classification

CWE-347

References

spring.io /security/cve-2026-41694

{
    "lastseen": "",
    "description": "Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.",
    "published": "2026-06-09T23:47:17.784Z",
    "modified": "2026-06-09T23:47:17.784Z",
    "type": "cve",
    "title": "SAML Payloads Decrypted Without Valid Signature",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41694",
    "id": "CVE-2026-41694",
    "bulletinFamily": "",
    "cwe": [
        "CWE-347"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Security 5.7.0\nSpring Spring Security 5.8.0\nSpring Spring Security 6.3.0\nSpring Spring Security 6.4.0\nSpring Spring Security 6.5.0\nSpring Spring Security 7.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 3.7,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Security",
    "version": "5.7.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}