CVE-2026-28809 Overview
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.
The esaml library parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.
Critical Impact
Local file disclosure and potential Server-Side Request Forgery (SSRF) through crafted SAML messages. Sensitive data such as Kubernetes secrets may be exposed even when signature verification fails.
Affected Products
- esaml (all versions)
- esaml fork by arekinath
- esaml fork by handnot2
- esaml fork by dropbox
- Systems running Erlang/OTP versions prior to 27
Discovery Timeline
- 2026-03-23 - CVE-2026-28809 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-28809
Vulnerability Analysis
This vulnerability is classified under CWE-611 (Improper Restriction of XML External Entity Reference). The core issue lies in the order of operations during SAML message processing: the esaml library parses incoming XML before validating the cryptographic signature of the SAML assertion.
The xmerl_scan:string/2 function in Erlang's Xmerl library processes XML documents with entity expansion enabled by default on Erlang/OTP versions before 27. This means an attacker can craft a malicious SAML message containing external entity declarations that reference local files or internal network resources.
Even when the subsequent signature verification fails (as it typically would for attacker-controlled messages from untrusted sources), the XXE payload has already been processed. The expanded file contents become part of the parsed document and may leak through various channels including application logs, error messages, or debug output.
Root Cause
The vulnerability stems from two compounding issues:
- Insecure parsing order: SAML messages are parsed and XML entities are expanded before signature verification occurs, allowing pre-authentication attacks.
- Default-enabled entity expansion: Erlang/OTP versions prior to 27 have Xmerl configured to allow XML external entities by default, exposing the library to XXE attacks without explicit opt-in.
The combination creates a window where malicious XML content is fully processed even though it will ultimately be rejected by signature validation.
Attack Vector
The attack is network-accessible and does not require authentication or user interaction. An attacker sends a crafted SAML message to an application using esaml (or its forks) that contains malicious XML external entity declarations. These entities can reference:
- Local filesystem paths (e.g., /etc/passwd, Kubernetes secrets mounted at /var/run/secrets/)
- Internal network resources via SSRF (e.g., metadata services at http://169.254.169.254/)
The esaml library processes the malicious XML, expanding the entities and reading the referenced resources into memory. While the message is likely rejected during signature verification if the attacker is untrusted, the sensitive data may already have been logged or exposed through error handling mechanisms.
Detection Methods for CVE-2026-28809
Indicators of Compromise
- Unusual SAML authentication attempts containing XML entity declarations (DTD references)
- Log entries containing unexpected file contents or internal service responses
- Error messages exposing local filesystem paths or internal network data
- SAML messages with <!DOCTYPE> or <!ENTITY> declarations in payloads
Detection Strategies
- Monitor SAML endpoints for requests containing XML DTD declarations or entity references
- Implement log analysis to detect leaked file contents or metadata service responses
- Configure intrusion detection systems to alert on SAML messages with suspicious XML patterns
- Review application logs for parsing errors that may indicate exploitation attempts
Monitoring Recommendations
- Enable detailed logging on SAML authentication endpoints to capture malformed requests
- Monitor outbound network traffic for connections to internal metadata services (e.g., cloud instance metadata endpoints)
- Set up alerts for file access patterns consistent with XXE exploitation attempts
- Track Erlang/OTP version across infrastructure to identify vulnerable deployments
How to Mitigate CVE-2026-28809
Immediate Actions Required
- Upgrade Erlang/OTP to version 27 or later, where Xmerl defaults to disabling entity expansion
- Review application logs for evidence of exploitation attempts
- Audit deployments using esaml or its forks (arekinath, handnot2, dropbox)
- Implement network segmentation to limit SSRF impact from compromised SAML endpoints
Patch Information
No specific patch information is available in the CVE data. Users should consult the CNA Security Advisory for the latest remediation guidance. The primary mitigation is upgrading to Erlang/OTP 27 or later, which disables XML entity expansion by default in Xmerl.
Workarounds
- Upgrade to Erlang/OTP 27 or later where Xmerl defaults to entities disabled
- Configure xmerl_scan options to explicitly disable external entity processing if the library supports it
- Implement a web application firewall (WAF) rule to block SAML messages containing DTD or ENTITY declarations
- Add pre-validation filtering to sanitize incoming SAML messages before they reach the esaml library
- Ensure sensitive files and secrets are not readable by the application user when possible
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
