CVE-2026-41005

Vulnerability

Cloud Foundry UAA versions v2.0.0 through v78.13.0 (and cf-deployment through v56.1.0) incorrectly treat XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that are unsigned but contain encrypted content are accepted, even though encryption alone does not prove the IdP issued the message [1].

Exploitation

An attacker with network access to the UAA endpoint can obtain the Service Provider's public key from published metadata. Using this key, the attacker can encrypt an arbitrary SAML assertion or response and send it to UAA. No authentication or user interaction is required; the attacker only needs the ability to craft and deliver the encrypted SAML message to the vulnerable endpoint [1].

Impact

Successful exploitation allows an attacker to authenticate as any user in the system, including administrators, without possessing valid credentials. This leads to complete compromise of UAA and any downstream applications relying on it for authentication, resulting in full loss of confidentiality, integrity, and availability (CIA) of the affected Cloud Foundry deployment [1].

Mitigation

Users should upgrade uaa_release to version v78.15.0 or later (note that v78.14.0 has known issues) and cf-deployment to version v57.0.0 or later (which includes uaa_release v78.16.0). No workaround is available for unpatched versions [1].