CVE-2026-28809 - Vulnerability Details

Vendors	Products
Arekinath	Esaml
Dropbox	Esaml
Handnot2	Esaml

Link	Providers
https://cna.erlef.org/cves/CVE-2026-28809.html

Type	Values Removed	Values Added
Description		XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages. This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
Title		XXE in esaml SAML library allows local file read and potential SSRF
First Time appeared		Arekinath Arekinath esaml Dropbox Dropbox esaml Handnot2 Handnot2 esaml
Weaknesses		CWE-611
CPEs		cpe:2.3:a:arekinath:esaml:::::::: cpe:2.3:a:dropbox:esaml:::::::: cpe:2.3:a:handnot2:esaml::::::::
Vendors & Products		Arekinath Arekinath esaml Dropbox Dropbox esaml Handnot2 Handnot2 esaml
References		https://cna.erlef.org/cves/CVE-2026-28809.html
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28809", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-03-03T14:40:00.590Z", "datePublished": "2026-03-23T10:09:29.233Z", "dateUpdated": "2026-03-23T10:09:29.233Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*", "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*", "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "packageName": "esaml", "packageURL": "pkg:hex/esaml", "product": "esaml", "vendor": "dropbox"}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "packageName": "arekinath/esaml", "packageURL": "pkg:github/arekinath/esaml", "product": "esaml", "repo": "https://github.com/arekinath/esaml.git", "vendor": "arekinath"}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "packageName": "handnot2/esaml", "packageURL": "pkg:github/handnot2/esaml", "product": "esaml", "repo": "https://github.com/handnot2/esaml.git", "vendor": "handnot2"}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "packageName": "dropbox/esaml", "packageURL": "pkg:github/dropbox/esaml", "product": "esaml", "repo": "https://github.com/dropbox/esaml.git", "vendor": "dropbox"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "finder", "value": "Bryan Lynch"}, {"lang": "en", "type": "coordinator", "value": "Jonatan M\u00e4nnchen / EEF"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.<p>esaml parses attacker-controlled SAML messages using <tt>xmerl_scan:string/2</tt> before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.</p><p>This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.</p>"}], "value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\n\nesaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\n\nThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled."}], "impacts": [{"capecId": "CAPEC-201", "descriptions": [{"lang": "en", "value": "CAPEC-201 Serialized Data External Linking"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-03-23T10:09:29.233Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cna.erlef.org/cves/CVE-2026-28809.html"}], "source": {"discovery": "EXTERNAL"}, "title": "XXE in esaml SAML library allows local file read and potential SSRF", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, <tt>xmerl_scan</tt> disables entity expansion by default, which mitigates this vulnerability without changes to esaml."}], "value": "Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability without changes to esaml."}], "x_generator": {"engine": "Vulnogram 1.0.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\n\nesaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\n\nThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled."}], "id": "CVE-2026-28809", "lastModified": "2026-03-23T11:16:24.343", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-03-23T11:16:24.343", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-28809.html"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object