CVE-2026-28809 is a medium-severity XML External Entity (XXE) vulnerability in the esaml library and its forks, including those used by Dropbox. The root cause is the use of the Erlang xmerl XML parser's xmerl_scan:string/2 function to parse SAML messages before signature verification, without disabling XML entity expansion. On Erlang/OTP versions before 27, xmerl allows XML entities by default, enabling attackers to craft malicious SAML messages containing external entity references. When these messages are parsed, the system can be tricked into reading arbitrary local files, such as sensitive Kubernetes secrets mounted on the host. Although signature verification will reject messages from untrusted SAML service providers, the vulnerable parsing step occurs prior to verification, potentially exposing sensitive file contents through logs or error messages. Additionally, the vulnerability may enable SSRF attacks by referencing external resources. The issue affects all versions of esaml and its forks by arekinath, handnot2, and Dropbox, but is mitigated on Erlang/OTP 27 or later where xmerl disables entity expansion by default. No patches are currently linked, and no known exploits have been reported. The CVSS 4.0 vector indicates a network attack vector, no privileges or user interaction required, and limited confidentiality impact due to the indirect exposure method.

Organizations using esaml or its forks in environments running Erlang/OTP versions prior to 27 are at risk of sensitive information disclosure. Attackers can exploit this vulnerability remotely without authentication or user interaction by sending crafted SAML messages, potentially exposing local files such as Kubernetes secrets or other sensitive configuration files. This can lead to leakage of credentials, private keys, or other confidential data, undermining the confidentiality of the affected systems. The SSRF potential could allow attackers to pivot within internal networks, accessing internal services not otherwise exposed externally. Although signature verification prevents acceptance of malicious SAML assertions from untrusted sources, the pre-verification parsing step still exposes sensitive data indirectly. This vulnerability could impact cloud service providers, enterprises using SAML-based single sign-on solutions, and any organization relying on esaml for SAML processing. The scope is limited to systems using vulnerable esaml versions on older Erlang runtimes, but the impact on confidentiality and potential for lateral movement is significant.

To mitigate CVE-2026-28809, organizations should upgrade their Erlang/OTP runtime to version 27 or later, where the xmerl parser disables XML entity expansion by default, effectively preventing XXE attacks. If upgrading Erlang is not immediately possible, users should patch or update the esaml library and its forks to versions that explicitly disable XML entity expansion during SAML message parsing. Implement strict input validation and XML parsing configurations that disable external entity resolution before signature verification. Additionally, ensure that sensitive files such as Kubernetes secrets are not unnecessarily mounted or accessible to services processing untrusted XML input. Monitor logs and error messages for inadvertent leakage of sensitive data and restrict logging verbosity to avoid exposing file contents. Employ network segmentation and firewall rules to limit SSRF attack impact. Finally, conduct regular security assessments and code reviews focusing on XML parsing and SAML processing components.