xml-security is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption
Description
xml-security is a library that implements XML signatures and encryption. Prior to versions 2.3.1 and 1.13.9, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 2.3.1 and 1.13.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
xml-security library fails to validate AES-GCM authentication tag length, allowing attackers to brute-force tags and decrypt encrypted XML nodes.
The xml-security library, which implements XML signatures and encryption for SimpleSAMLphp, contains a critical vulnerability in its handling of AES-GCM encrypted nodes. Prior to versions 2.3.1 and 1.13.9, when decrypting nodes encrypted with aes-128-gcm, aes-192-gcm, or aes-256-gcm, the authentication tag length is not validated [2][3]. The library extracts the authentication tag using substr() but does not check that the resulting tag is the expected 16-byte length [3]. This allows an attacker to provide a truncated ciphertext, resulting in a short authentication tag (e.g., one byte) [3].
The attack surface is remote and network-based, as the vulnerability is triggered when the server processes maliciously crafted XML containing encrypted nodes [3]. No prior authentication is required if the encrypted data is presented during an unauthenticated exchange (e.g., SAML assertions). An attacker who can send a specially crafted ciphertext can exploit the missing length check to perform a brute-force on the reduced authentication tag space [2][3]. Once a valid short tag is found, the attacker can recover the GHASH key, which is the symmetric for a given key and nonce combination [3]. With the GHASH key, the attacker can forge valid authentication tags for arbitrary ciphertexts and decrypt legitimate encrypted data without knowledge of the encryption key [2][3].
The impact is severe: full compromise of confidentiality and integrity of encrypted XML nodes. An attacker can decrypt sensitive data (e.g., SAML assertions, encrypted keys) and forge arbitrary encrypted content, potentially leading to authentication bypass or privilege escalation [3]. The vulnerability has been fixed in versions 2.3.1 and 1.13.9 by adding a strict length check on the authentication tag, throwing a RuntimeException if the tag length is not exactly 16 bytes [4]. Users are strongly advised to update immediately, as the flaw is trivially exploitable and has been proven with a proof-of-concept [3][4]. No workaround is available; patching is the only mitigation.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simplesamlphp/xml-securityPackagist | >= 2.0.0, < 2.3.1 | 2.3.1 |
simplesamlphp/xml-securityPackagist | < 1.13.9 | 1.13.9 |
Affected products
2- Range: <2.3.1, <1.13.9
- simplesamlphp/xml-securityv5Range: >= 2.0.0, < 2.3.1
Patches
2cad6d57cf0a5Merge commit from fork
1 file changed · +4 −0
src/Backend/OpenSSL.php+4 −0 modified@@ -7,6 +7,7 @@ use SimpleSAML\XMLSecurity\Constants as C; use SimpleSAML\XMLSecurity\Exception\InvalidArgumentException; use SimpleSAML\XMLSecurity\Exception\OpenSSLException; +use SimpleSAML\XMLSecurity\Exception\RuntimeException; use SimpleSAML\XMLSecurity\Key\AsymmetricKey; use SimpleSAML\XMLSecurity\Key\KeyInterface; use SimpleSAML\XMLSecurity\Key\PrivateKey; @@ -158,6 +159,9 @@ public function decrypt( $options = OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING; if ($this->useAuthTag) { // configure GCM mode $authTag = substr($ciphertext, - self::AUTH_TAG_LEN); + if (strlen($authTag) !== self::AUTH_TAG_LEN { + throw new RuntimeException('Authentication tag length is invalid'); + } $ciphertext = substr($ciphertext, 0, - self::AUTH_TAG_LEN); $options = OPENSSL_RAW_DATA; }
fdc12449e959Merge commit from fork
1 file changed · +4 −0
src/Backend/OpenSSL.php+4 −0 modified@@ -7,6 +7,7 @@ use SimpleSAML\XMLSecurity\Constants as C; use SimpleSAML\XMLSecurity\Exception\InvalidArgumentException; use SimpleSAML\XMLSecurity\Exception\OpenSSLException; +use SimpleSAML\XMLSecurity\Exception\RuntimeException; use SimpleSAML\XMLSecurity\Key\AsymmetricKey; use SimpleSAML\XMLSecurity\Key\KeyInterface; use SimpleSAML\XMLSecurity\Key\PrivateKey; @@ -153,6 +154,9 @@ public function decrypt( $options = OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING; if ($this->useAuthTag) { // configure GCM mode $authTag = substr($ciphertext, - self::AUTH_TAG_LEN); + if (strlen($authTag) !== self::AUTH_TAG_LEN { + throw new RuntimeException('Authentication tag length is invalid'); + } $ciphertext = substr($ciphertext, 0, - self::AUTH_TAG_LEN); $options = OPENSSL_RAW_DATA; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r353-4845-pr5pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32600ghsaADVISORY
- github.com/simplesamlphp/xml-security/commit/cad6d57cf0a5a0b7e0cc4e4a5b18752e56eb1520ghsax_refsource_MISCWEB
- github.com/simplesamlphp/xml-security/commit/fdc12449e959c610943f9fd428e95e3832d74c25ghsax_refsource_MISCWEB
- github.com/simplesamlphp/xml-security/security/advisories/GHSA-r353-4845-pr5pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.