HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-41005Published Modified CNA vmware

CVE-2026-41005: UAA accepts SAML Encrypted Assertions authentication bypass

Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP's public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message. Affected versions: Cloud Foundry UAA (uaa_release) 2.0.0 through 78.13.0. Cloud Foundry CF Deployment all versions through 56.1.0.

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
57.0.0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in Cloud Foundry UAA (User Account and Authentication) allows a remote, unauthenticated attacker to forge SAML assertions and authenticate as any user, including administrators, without possessing credentials or a valid IdP-signed token. The flaw exists because UAA incorrectly accepted encrypted but unsigned SAML assertions, treating encryption alone as proof of authenticity. Successful exploitation grants full account takeover, including access to all data and operations the impersonated user is authorized for. Patched-image rebuilds at UAA 78.14.0 and CF Deployment 57.0.0 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-41005 is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle UAA or CF Deployment components.

Available
Triage

HarborGuard can score this finding at CVSS 9.0 Critical and weight it against each environment's compliance policy, routing alerts to the appropriate team or inbox within the customer org based on image ownership and policy thresholds.

Available
Patch

For environments running a UAA version between 2.0.0 and 78.13.0, or CF Deployment through 56.1.0, a patched-image rebuild at UAA 78.14.0 or CF Deployment 57.0.0 becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the UAA token endpoint or browser SSO ACS endpoint over the network; both are typically internet-exposed in Cloud Foundry deployments.

  • AuthenticationNot required

    No credentials or prior session are needed; the attacker constructs a forged SAML assertion using the SP's publicly available encryption key.

  • Victim interactionNot required

    The attack is fully server-side; no user needs to click a link or take any action for exploitation to succeed.

  • Attack complexityDetail

    Attack complexity is rated High because the attacker must correctly construct a well-formed encrypted SAML assertion using the SP's published public key and target a specific SAML flow configuration.

Blast Radius

  • The attacker authenticates as an arbitrary user, including platform administrators, without knowing their credentials.
  • With an admin-level impersonation, the attacker reads all tenant data, OAuth tokens, and user records stored in UAA.
  • The attacker modifies user roles, creates new accounts, or revokes legitimate accounts across all organizations on the platform.
  • The attacker disrupts authentication services for all users by altering identity provider bindings or invalidating active sessions.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41005 is active across customer image scans at Critical severity (CVSS 9.0). For customers who opt into auto-remediation, HarborGuard can rebuild affected images at UAA 78.14.0 or CF Deployment 57.0.0, execute a regression test run, and open a pull request against affected workloads. For Critical-severity CVEs, the median time from publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or environment constraints prevent auto-remediation, HarborGuard surfaces the finding in the triage queue with remediation guidance, including network-policy isolation of the UAA ACS and token endpoints as a compensating control while upgrade scheduling is underway. Customers who set wantAssertionSigned to true in their SAML configuration reduce exposure on unpatched versions, and HarborGuard can flag that configuration gap alongside the CVE finding where image inspection surfaces the UAA config.

See how HarborGuard automates this

Fix available

57.0.078.14.0
Affected packages
  • Cloud Foundry / UAA
    < 78.14.0 (from 2.0.0)
  • Cloud Foundry / CF Deployment
    < 57.0.0 (from 0.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References