VYPR
Critical severity9.3NVD Advisory· Published Dec 28, 2020· Updated Jun 17, 2026

CVE-2020-26290

CVE-2020-26290

Description

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/dexidp/dexGo
< 2.27.02.27.0
github.com/russellhaering/goxmldsigGo
< 1.1.01.1.0

Affected products

10

Patches

Vulnerability mechanics

References

13

News mentions

0

No linked articles in our index yet.