CVE-2026-49454: CWE-287: Improper Authentication in szTheory relyra
Relyra versions prior to 1.2.0 contain a critical authentication vulnerability where forged SAML signatures are accepted without proper cryptographic verification. The library failed to verify the SignatureValue against the configured IdP certificate's public key and did not recompute the DigestValue, allowing attackers to bypass signature validation. This flaw could allow an attacker to impersonate users by submitting forged authentication responses. The issue has been fixed in version 1.2.0.
AI Analysis
Technical Summary
Relyra, a SAML 2.0 Service Provider library for Elixir and Phoenix, versions 1.0.0 and 1.1.0 improperly authenticate SAML responses by accepting forged signatures. The verification process omitted critical cryptographic checks: the SignatureValue was not verified against the IdP's public key, DigestValue was not recomputed, and canonicalization was not properly applied. This incomplete XMLDSig trust boundary allowed attackers to submit attacker-controlled NameID values and receive successful authentication results. The vulnerability is tracked as CVE-2026-49454 and has a CVSS 3.1 score of 9.1 (critical). It is fixed in version 1.2.0.
Potential Impact
Successful exploitation allows attackers to bypass authentication by submitting forged SAML signatures, potentially impersonating any user. This compromises confidentiality and integrity of authentication without causing availability impact. The vulnerability is critical due to the high likelihood of complete authentication bypass and unauthorized access.
Mitigation Recommendations
Upgrade to relyra version 1.2.0 or later, where the signature verification process correctly performs cryptographic validation of SignatureValue against the IdP certificate's public key and recomputes DigestValue. No other mitigations are indicated. Patch status is confirmed fixed in version 1.2.0.
CVE-2026-49454: CWE-287: Improper Authentication in szTheory relyra
Description
Relyra versions prior to 1.2.0 contain a critical authentication vulnerability where forged SAML signatures are accepted without proper cryptographic verification. The library failed to verify the SignatureValue against the configured IdP certificate's public key and did not recompute the DigestValue, allowing attackers to bypass signature validation. This flaw could allow an attacker to impersonate users by submitting forged authentication responses. The issue has been fixed in version 1.2.0.
CVSS v3.1
Score 9.1critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Relyra, a SAML 2.0 Service Provider library for Elixir and Phoenix, versions 1.0.0 and 1.1.0 improperly authenticate SAML responses by accepting forged signatures. The verification process omitted critical cryptographic checks: the SignatureValue was not verified against the IdP's public key, DigestValue was not recomputed, and canonicalization was not properly applied. This incomplete XMLDSig trust boundary allowed attackers to submit attacker-controlled NameID values and receive successful authentication results. The vulnerability is tracked as CVE-2026-49454 and has a CVSS 3.1 score of 9.1 (critical). It is fixed in version 1.2.0.
Potential Impact
Successful exploitation allows attackers to bypass authentication by submitting forged SAML signatures, potentially impersonating any user. This compromises confidentiality and integrity of authentication without causing availability impact. The vulnerability is critical due to the high likelihood of complete authentication bypass and unauthorized access.
Mitigation Recommendations
Upgrade to relyra version 1.2.0 or later, where the signature verification process correctly performs cryptographic validation of SignatureValue against the IdP certificate's public key and recomputes DigestValue. No other mitigations are indicated. Patch status is confirmed fixed in version 1.2.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-30T02:43:33.107Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a346115f198dc38c1910c6b
Added to database: 6/18/2026, 9:20:21 PM
Last enriched: 6/18/2026, 9:34:59 PM
Last updated: 6/18/2026, 11:28:33 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.