CVE-2026-41694

Vulnerability

Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. This affects Spring Security versions 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; and 7.0.0 through 7.0.5 [1].

Exploitation

An attacker needs to craft specific SAML payloads, such as SAML Responses, LogoutRequests, or LogoutResponses. By sending these crafted payloads to a vulnerable Service Provider, the attacker can leverage it as a decryption oracle. Network access to the Service Provider is required, and no specific authentication or user interaction is mentioned as necessary in the available references [1].

Impact

Attackers can use the Service Provider as a decryption oracle by crafting SAML payloads that are decrypted without a valid signature. This could potentially lead to the disclosure of sensitive information contained within the SAML messages or allow for manipulation of the SAML authentication flow, depending on how the decrypted data is processed. The exact impact is not fully detailed in the available references [1].

Mitigation

This vulnerability is addressed in patched versions of Spring Security. Specific fixed versions are not detailed in the provided reference, but users are advised to update to a non-vulnerable version. No workarounds are mentioned, and the vulnerability is not listed as being part of the Known Exploited Vulnerabilities (KEV) catalog [1].