CVE-2026-41005

Cloud Foundry UAA (uaa_release 2.0.0–78.13.0) and CF Deployment up to 56.1.0 are affected by CVE-2026-41005, where XML encryption intended for confidentiality in SAML content was incorrectly treated as a substitute for XML signatures, enabling authentication bypass in two flows: OAuth 2.0 SAML2 b...

CVE-2026-41005 - UAA accepts SAML Encrypted Assertions authentication bypass | Cloud Foundry

Severity CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 9.0 / Critical CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H 9.5 / Critical Vendor CloudFoundry Foundation Description Cloud Foundry UAA versions v2.0.0 through v78.13.0 incorrectly treated XML encryption to the Service...