CVE-2026-32600
Last modified
CVE-2026-32600 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. xml-security is a library that implements XML signatures and encryption. Prior to versions 2.3.1 and 1.13.9, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. EPSS estimates a 0.15% chance of exploitation in the next 30 days.
Description
xml-security is a library that implements XML signatures and encryption. Prior to versions 2.3.1 and 1.13.9, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 2.3.1 and 1.13.9.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Simplesamlphp | Xml-Security | < 1.13.9 |
| Simplesamlphp | Xml-Security | >= 2.0.0, < 2.3.1 |
References
- https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-r353-4845-pr5pExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-32600?
How severe is CVE-2026-32600?
How do I fix CVE-2026-32600?
Are you affected by CVE-2026-32600?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST