External risk intelligence

Cloud Foundry UAA SAML Authentication Bypass via Unsigned Encrypted Assertions

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-41005

Cloud Foundry UAA incorrectly accepts SAML assertions that are encrypted but not signed, potentially allowing authentication bypass. This means an attacker could send forged assertions, leading to unauthorized access, if the affected SAML flows are used and `wantAssertionSigned` is set to false.

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-41005

The vulnerability affects the Cloud Foundry User Account and Authentication (UAA) service, which acts as an identity provider and SAML assertion consumer. These services are public-facing by design to facilitate browser-based SSO and token exchange endpoints for external users and applications.

PCI scan relevance

PCI Relevance for CVE-2026-41005

Yes

CVE-2026-41005 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to bypass authentication by leveraging improper handling of SAML assertions. This could lead to a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Cloud Foundry's User Account and Authentication (UAA) service. The issue allows for authentication bypass by improperly handling SAML assertions, where encryption was mistakenly accepted in place of required digital signatures. This could potentially allow unauthorized access to systems relying on UAA for identity verification.

  • Unsigned but encrypted SAML data was accepted.
  • Could bypass authentication for Cloud Foundry.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending specially crafted SAML assertions to the Cloud Foundry User Account and Authentication (UAA) service. Since UAA incorrectly trusts encrypted assertions as authentic, an attacker could forge these assertions, bypassing authentication mechanisms and potentially gaining unauthorized access to resources.

  • Requires network access to UAA.
  • Attacker sends a forged SAML assertion.
  • Risk of authentication bypass.

Live Threat

Current exploitation, exposure, and threat context

Cloud Foundry UAA could be tricked into accepting unsigned SAML assertions that contain encrypted content. This could allow an attacker to impersonate a user or service when `wantAssertionSigned` is set to `false` and the service provider relies on encryption for authenticity.

  • User authentication data at risk.
  • Impersonation via forged assertions.
  • Unauthorized access to services.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

In a Cloud Foundry environment, the platform or infrastructure teams are likely responsible for the User Account and Authentication (UAA) service. Initial triage should focus on confirming the deployment's exposure, identifying the specific UAA instances in use, and determining their criticality to business operations. Once these factors are understood, the accountable team can be engaged to plan the most appropriate remediation or mitigation strategy.

  • Platform or infrastructure teams own the issue.
  • Verify UAA instance reachability and business criticality.
  • Plan remediation based on confirmed exposure.

Frequently asked questions

What is Cloud Foundry UAA?

Cloud Foundry UAA (User Account and Authentication) is a multi-tenant identity management service. It acts as the central hub for handling user accounts and issuing security tokens, primarily using the SAML protocol to facilitate single sign-on (SSO) across various applications and cloud services within a Cloud Foundry ecosystem.

What is the vulnerability in CVE-2026-41005?

This is a cryptographic failure identified as CWE-347, which relates to improper verification of cryptographic signatures. The UAA service incorrectly treats encrypted SAML data as a proof of authenticity. Because encryption is performed using the service's own public key, an attacker can create validly encrypted but unsigned messages that the system mistakenly trusts as authentic, bypassing intended security checks.

How can an attacker trigger this CVE?

An attacker triggers this by sending a crafted, unsigned SAML assertion to the UAA token endpoint or browser SSO service. The bug manifests when the system relies solely on encryption for identity validation. It is important to note that this is not a general flaw in all encrypted traffic; the vulnerability specifically occurs when UAA is configured to accept unsigned assertions that happen to be encrypted.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates a high likelihood of risk because the UAA component is designed to be public-facing to support external users and browser-based SSO. If your UAA instance is accessible over the internet to perform its standard identity provider functions, it is exposed to the network-level interaction required for an attacker to submit these forged SAML assertions.

What should I do if I run Cloud Foundry?

First, identify if your deployment uses an affected version of UAA (2.0.0 through 78.13.0) or CF Deployment (through 56.1.0). Coordinate with your platform or infrastructure teams to review your current UAA configuration and SAML authentication flows. Prioritize assessing which services rely on UAA for identity verification and begin planning a path to apply the necessary updates or security configuration changes provided by the vendor.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified