HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49454Published Modified CNA GitHub_M

CVE-2026-49454: Relyra SAML SignatureValue not cryptographically verified -> authentication bypass

Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. The XMLDSig trust boundary was incomplete as :public_key.verify over the exclusive-C14N canonicalized SignedInfo was not performed against the configured IdP certificate's public key, DigestValue was not recomputed over the canonicalized referenced element, and canonicalize/2 remained an unused passthrough in the signature-verification path. The result was a structure-only acceptance path where document shape and trust-source rejection could succeed without proving the signature bytes. A forged SignatureValue carrying an attacker-controlled NameID could be accepted as {:ok}. This issue has been fixed in version 1.2.0.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in Relyra, a SAML 2.0 Service Provider library for Elixir and Phoenix (versions 1.0.0 and 1.1.0), allows a remote, unauthenticated attacker to forge a SAML assertion and authenticate as any user, including privileged ones. The library accepted SAML responses based on document structure alone without performing the required cryptographic signature verification steps, meaning an attacker could craft a forged SignatureValue with an arbitrary NameID and receive a successful authentication result. This is a network-reachable, zero-authentication exploit path that grants full identity impersonation. A patched-image rebuild at version 1.2.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Phoenix and Elixir application images that bundle Relyra 1.0.0 or 1.1.0. Any image in a connected registry or CI pipeline containing an affected version is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.1 (Critical) and weights it further against each customer environment's compliance policy, escalating findings in regulated or high-sensitivity namespaces accordingly. Triage alerts are routed to the team inbox configured for the affected workload within each customer organization.

Available
Patch

Because version 1.2.0 resolves the incomplete XMLDSig trust boundary, a patched-image rebuild at 1.2.0 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SAML assertion consumer endpoint over the network; no local access or special positioning is required.

  • AuthenticationNot required

    No credentials or existing session are needed; the attacker submits a forged SAML response as an unauthenticated party.

  • Victim interactionNot required

    The attacker sends the forged SAML response directly to the service provider endpoint without requiring any action from a legitimate user.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions, memory layout knowledge, or environmental dependencies are required to forge a valid-looking SAML response.

Blast Radius

  • Attacker authenticates to the application as any arbitrary user by supplying a forged NameID, including accounts with administrative privileges.
  • All data and functionality accessible to the impersonated account becomes readable and modifiable by the attacker for the duration of the forged session.
  • Existing session isolation and role-based access controls are bypassed entirely because the identity claim is accepted at the authentication layer before any authorization check runs.
  • Data integrity of audit logs and attribution records is undermined because actions performed under the forged identity are attributed to the victim account.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical authentication bypass is active across connected registries and pipelines, matching any image that packages Relyra 1.0.0 or 1.1.0. A patched-image rebuild at version 1.2.0 becomes available automatically once an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes regression tests, and opens a pull request against the affected workload; for critical-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or organizational workflow requires manual sign-off, the finding is queued in the team inbox with the CVSS 9.1 score and affected image list attached. Until a patched image is deployed, compensating controls worth considering include network-policy rules that restrict which clients can POST to the SAML assertion consumer endpoint, and identity-provider-side logging of all assertion submissions to detect anomalous NameID patterns.

See how HarborGuard automates this
Affected packages
  • szTheory / relyra
    >= 1.0.0, < 1.2.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References