Critical severity9.3NVD Advisory· Published Dec 28, 2020· Updated Jun 17, 2026
CVE-2020-26290
CVE-2020-26290
Description
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dexidp/dexGo | < 2.27.0 | 2.27.0 |
github.com/russellhaering/goxmldsigGo | < 1.1.0 | 1.1.0 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:golang/github.com/dexidp/dexpkg:golang/github.com/russellhaering/goxmldsigpkg:rpm/opensuse/dex-oidc&distro=openSUSE%20Tumbleweed
< 0+ 8 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.27.0
- (no CPE)range: < 1.1.0
- (no CPE)range: < 2.28.1-1.3
Patches
Vulnerability mechanics
References
13- github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-m9hp-7r99-94h5ghsaADVISORY
- github.com/dexidp/dex/releases/tag/v2.27.0nvdThird Party AdvisoryWEB
- github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5nvdThird Party AdvisoryWEB
- github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.mdnvdNot ApplicableThird Party AdvisoryWEB
- github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.mdnvdNot ApplicableThird Party AdvisoryWEB
- github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.mdnvdNot ApplicableThird Party AdvisoryWEB
- github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7nvdNot ApplicableThird Party AdvisoryWEB
- mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/nvdNot ApplicableThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2020-26290ghsaADVISORY
- github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64ghsaWEB
- mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilitiesghsaWEB
- pkg.go.dev/vuln/GO-2020-0050ghsaWEB
News mentions
0No linked articles in our index yet.