Improper Check for Unusual or Exceptional Conditions in gosaml2 - #VU128390
Published: April 28, 2026
Vulnerability identifier: #VU128390
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-754
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
gosaml2
gosaml2
Software vendor:
Russell Haering
Russell Haering
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of empty decrypted data in DecryptBytes() when processing a crafted encrypted SAML response over HTTP POST to the ACS endpoint. A remote attacker can send a specially crafted encrypted assertion to cause a denial of service.
Exploitation requires the service provider to have encrypted assertion support configured, and no valid signature is required because decryption occurs before assertion signature validation.
Remediation
Install security update from vendor's website.