CVE-2026-28809: CWE-611 Improper Restriction of XML External Entity Reference in dropbox esaml
CVE-2026-28809 is an XML External Entity (XXE) vulnerability in the esaml library and its forks, including Dropbox's version. The vulnerability arises because esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 without disabling XML entity expansion before signature verification. On Erlang/OTP versions prior to 27, this allows an attacker to cause the system to read local files and incorporate their contents into SAML documents, potentially exposing sensitive data such as Kubernetes-mounted secrets. If the attacker is untrusted, signature verification fails and the document is discarded, but file contents may still leak through logs or error messages. Systems running Erlang/OTP 27 or later are not affected due to a change in default entity handling. No official patch is referenced, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The vulnerability CVE-2026-28809 affects the esaml library used for SAML processing, including forks by Dropbox and others. It is caused by improper restriction of XML External Entity references (CWE-611) due to esaml parsing SAML messages with xmerl_scan:string/2 without disabling XML entity expansion before signature verification. On Erlang/OTP versions before 27, the xmerl XML parser allows entity expansion by default, enabling attackers to craft malicious SAML messages that cause the system to read local files and embed their contents into the SAML document. Although signature verification prevents acceptance of messages from untrusted sources, sensitive file contents may be exposed via logs or error messages. Erlang/OTP 27 and later versions mitigate this by disabling entity expansion by default, preventing exploitation. The CVSS 4.0 base score is 6.3 (medium severity). There is no vendor advisory or patch information provided, and no known exploits have been observed.
Potential Impact
An attacker can exploit this vulnerability to cause the esaml library to read local files on the host system and include their contents in processed SAML documents. This can lead to exposure of sensitive information such as Kubernetes-mounted secrets through logs or error messages. The vulnerability does not allow bypassing signature verification, so untrusted SAML messages are discarded, limiting the impact to information disclosure rather than direct authentication bypass or code execution. Systems running Erlang/OTP 27 or later are not affected due to changes in default XML entity handling.
Mitigation Recommendations
No official patch or vendor advisory is provided for this vulnerability. Users should upgrade to Erlang/OTP version 27 or later, where the xmerl XML parser disables entity expansion by default, effectively mitigating this issue. Alternatively, users should ensure that XML entity expansion is explicitly disabled when parsing SAML messages with esaml. Monitor vendor channels for any future patches or official guidance. Since this is a library vulnerability, users should review their usage of esaml and consider applying custom mitigations if upgrading Erlang/OTP is not immediately feasible.
CVE-2026-28809: CWE-611 Improper Restriction of XML External Entity Reference in dropbox esaml
Description
CVE-2026-28809 is an XML External Entity (XXE) vulnerability in the esaml library and its forks, including Dropbox's version. The vulnerability arises because esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 without disabling XML entity expansion before signature verification. On Erlang/OTP versions prior to 27, this allows an attacker to cause the system to read local files and incorporate their contents into SAML documents, potentially exposing sensitive data such as Kubernetes-mounted secrets. If the attacker is untrusted, signature verification fails and the document is discarded, but file contents may still leak through logs or error messages. Systems running Erlang/OTP 27 or later are not affected due to a change in default entity handling. No official patch is referenced, and no known exploits are reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-28809 affects the esaml library used for SAML processing, including forks by Dropbox and others. It is caused by improper restriction of XML External Entity references (CWE-611) due to esaml parsing SAML messages with xmerl_scan:string/2 without disabling XML entity expansion before signature verification. On Erlang/OTP versions before 27, the xmerl XML parser allows entity expansion by default, enabling attackers to craft malicious SAML messages that cause the system to read local files and embed their contents into the SAML document. Although signature verification prevents acceptance of messages from untrusted sources, sensitive file contents may be exposed via logs or error messages. Erlang/OTP 27 and later versions mitigate this by disabling entity expansion by default, preventing exploitation. The CVSS 4.0 base score is 6.3 (medium severity). There is no vendor advisory or patch information provided, and no known exploits have been observed.
Potential Impact
An attacker can exploit this vulnerability to cause the esaml library to read local files on the host system and include their contents in processed SAML documents. This can lead to exposure of sensitive information such as Kubernetes-mounted secrets through logs or error messages. The vulnerability does not allow bypassing signature verification, so untrusted SAML messages are discarded, limiting the impact to information disclosure rather than direct authentication bypass or code execution. Systems running Erlang/OTP 27 or later are not affected due to changes in default XML entity handling.
Mitigation Recommendations
No official patch or vendor advisory is provided for this vulnerability. Users should upgrade to Erlang/OTP version 27 or later, where the xmerl XML parser disables entity expansion by default, effectively mitigating this issue. Alternatively, users should ensure that XML entity expansion is explicitly disabled when parsing SAML messages with esaml. Monitor vendor channels for any future patches or official guidance. Since this is a library vulnerability, users should review their usage of esaml and consider applying custom mitigations if upgrading Erlang/OTP is not immediately feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-03T14:40:00.590Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c119e0f4197a8e3b3cb44c
Added to database: 3/23/2026, 10:45:52 AM
Last enriched: 4/14/2026, 4:04:24 PM
Last updated: 5/7/2026, 5:55:14 AM
Views: 102
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.