Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
9.0 / Critical
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
9.5 / Critical
Vendor
CloudFoundry Foundation
Description
Cloud Foundry UAA versions v2.0.0 through v78.13.0 incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP’s public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message.
Versions Affected
*Severity is high unless otherwise noted.
- uaa_release
-
- All versions from v2.0.0 to v78.13.0 (inclusive)
- CF Deployment
-
- All versions to v56.1.0 (inclusive)
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- uaa_release
-
- Due to known issues in 78.14.0, please upgrade uaa_release versions to v78.15.0 or greater
- CF Deployment
-
- Upgrade cf-deployment version to v57.0.0 or greater
-
-
- Includes uaa_release v78.16.0
-
Credit
Reported by Arthur Chan from Ada Logics in collaboration with Claude and Anthropic Research
History
June 11th 2026: Initial vulnerability report published
