The vulnerability identified as CVE-2026-32600 affects the xml-security library used by simplesamlphp, a widely used PHP implementation for SAML authentication. The flaw arises from improper validation of the authentication tag length in XML nodes encrypted with AES-GCM modes (aes-128-gcm, aes-192-gcm, aes-256-gcm) prior to versions 2.3.1 and 1.13.9. AES-GCM encryption provides both confidentiality and integrity through an authentication tag; however, this vulnerability allows an attacker to brute-force the authentication tag length, thereby recovering the GHASH key used in the Galois/Counter Mode. With the GHASH key, attackers can decrypt encrypted XML nodes and forge arbitrary ciphertexts without needing the original encryption key. This breaks the confidentiality and integrity guarantees of the encrypted data. The vulnerability can be exploited remotely without requiring authentication or user interaction, increasing its risk profile. The CVSS v3.1 score of 8.2 reflects the high impact on confidentiality and ease of exploitation. The vulnerability is categorized under CWE-354, which concerns improper validation of integrity check values. The issue is resolved in xml-security versions 2.3.1 and 1.13.9, and users are strongly advised to upgrade to these or later versions to remediate the risk. No public exploits or active exploitation campaigns have been reported to date.

This vulnerability poses a significant threat to organizations relying on simplesamlphp xml-security for SAML authentication and XML encryption. Successful exploitation allows attackers to decrypt sensitive XML data, potentially exposing confidential information such as authentication tokens, user credentials, or personally identifiable information. Additionally, the ability to forge ciphertexts undermines data integrity, enabling attackers to inject malicious or manipulated data into authentication workflows. This can lead to unauthorized access, privilege escalation, or session hijacking. Since simplesamlphp is widely used in identity federation and single sign-on (SSO) implementations, the impact could extend to numerous enterprise environments, government agencies, and cloud services. The lack of requirement for authentication or user interaction means attackers can exploit this vulnerability remotely and stealthily, increasing the risk of widespread compromise. Although availability is not directly affected, the confidentiality and integrity breaches can have cascading effects on organizational security posture and trust in identity systems.

Organizations should immediately upgrade the simplesamlphp xml-security library to version 2.3.1 or 1.13.9 or later, where the vulnerability is patched. Prior to upgrading, conduct an inventory of all systems using simplesamlphp to identify affected versions. Implement network-level protections such as restricting access to SAML endpoints to trusted IP ranges and deploying web application firewalls (WAFs) with rules to detect anomalous XML payloads. Monitor authentication logs and XML processing events for unusual patterns that may indicate exploitation attempts. Where possible, employ additional encryption or tokenization layers around sensitive XML data to reduce exposure. Conduct thorough security testing and code reviews of SAML integrations to ensure no residual weaknesses exist. Finally, maintain an incident response plan tailored to identity federation breaches to quickly respond if exploitation is detected.