CVE-2022-31122 is a medium-severity vulnerability affecting the wire-server component of the Wire encrypted communication and collaboration platform. The vulnerability arises from improper authentication (CWE-287) and incorrect security token generation (CWE-1270) related to the handling of SAML (Security Assertion Markup Language) Identity Provider (IdP) metadata. Specifically, versions of wire-server prior to 2022-07-12 (Chart version 4.19.0) are vulnerable to a Token Recipient Confusion attack. An attacker who possesses certain details of the SAML IdP metadata and is able to configure their own SAML IdP on the same backend can exploit this flaw to perform several malicious actions. These include deleting all SAML-authenticated accounts of a targeted team, authenticating as an arbitrary user within that team, and creating arbitrary accounts in the context of the team if the team is not managed by SCIM (System for Cross-domain Identity Management). This vulnerability effectively allows an attacker to bypass authentication controls, compromise team membership integrity, and potentially gain unauthorized access to sensitive communications and collaboration data. The issue has been fixed in wire-server version 2022-07-12/Chart 4.19.0, and this patch has been deployed on all Wire managed services. However, on-premise instances remain vulnerable unless updated. As a temporary mitigation, disabling SAML configuration for teams (via the galley.config.settings.featureFlags.sso flag in Helm chart overrides) reduces the attack surface. Notably, the ability to configure SAML SSO at the team level is disabled by default in on-premise installations, which limits exposure. No known exploits have been reported in the wild to date. The vulnerability requires the attacker to have specific SAML metadata details and the ability to configure SAML on the backend, which implies some level of insider knowledge or access to configuration interfaces.

For European organizations using Wire's on-premise wire-server versions prior to 2022-07-12, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their communication data. An attacker exploiting this flaw can delete legitimate SAML-authenticated user accounts, disrupting team operations and availability of services. More critically, the attacker can impersonate legitimate users, gaining unauthorized access to sensitive conversations and collaboration data, potentially leading to data breaches and espionage. The ability to create arbitrary accounts further exacerbates the risk by enabling persistent unauthorized access and lateral movement within the organization. This threat is particularly impactful for organizations relying heavily on SAML for single sign-on (SSO) integration without SCIM management, as SCIM-managed teams are less vulnerable. Given Wire's use in sectors requiring strong privacy and security guarantees, such as legal, financial, and governmental institutions, exploitation could result in severe reputational damage, regulatory penalties under GDPR, and operational disruption. The absence of known exploits in the wild reduces immediate risk, but the complexity of the attack and insider knowledge requirements mean that targeted attacks by sophisticated adversaries remain plausible. Organizations with on-premise deployments that have not applied the patch remain exposed, while managed service users are protected.

European organizations should prioritize updating all on-premise wire-server instances to version 2022-07-12 (Chart 4.19.0) or later to fully remediate the vulnerability. This update addresses the improper authentication and token confusion issues at the code level. Until updates can be applied, organizations should disable SAML configuration for teams by setting galley.config.settings.featureFlags.sso to false in the Helm chart overrides (values/wire-server/values.yaml). This measure reduces the attack surface by preventing team-level SAML SSO configuration. Additionally, organizations should audit their SAML IdP metadata exposure and restrict access to configuration interfaces to trusted administrators only, minimizing the risk that attackers can obtain necessary metadata details or configure malicious SAML providers. Implementing SCIM for team management where possible will also mitigate risk by enforcing stricter identity lifecycle controls. Monitoring wire-server logs for unusual SAML configuration changes or account deletions can provide early detection of exploitation attempts. Finally, organizations should review and tighten access controls around SAML configuration and backend management interfaces, enforce strong authentication for administrators, and consider network segmentation to isolate critical identity management components.