External risk intelligence

Relyra SAML Library Accepts Forged Signatures

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-49454

The vulnerability exists in a SAML 2.0 Service Provider library used for authentication in web applications. SAML endpoints are commonly exposed to the internet to facilitate user authentication from identity providers, making applications using this library common targets for external reachability.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Relyra SAML 2.0 Service Provider library could allow for forged authentication signatures, potentially leading to unauthorized access by bypassing signature verification. This could impact systems using the library for identity management.

Forged signatures could bypass authentication.
Important for systems relying on secure identity assertion.
Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could forge a SAML signature to bypass authentication. This is possible because the library improperly validates the signature before confirming a successful login. By manipulating the signature, an attacker could impersonate any user.

No authentication required.
Forged SAML signature.
Bypass authentication, impersonate users.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a SAML 2.0 Service Provider library could accept forged SAML signatures, potentially allowing an attacker to impersonate a user and gain unauthorized access. This occurs because the library did not fully verify the cryptographic signature before issuing a successful authentication result.

User authentication data could be at risk.
Forged signatures may bypass verification.
Unauthorized access to services could occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this vulnerability within their Elixir and Phoenix applications. The first practical step is to identify all instances of the affected library, confirm their exposure and business criticality, and then coordinate remediation with the appropriate development teams or vendor management if a third-party product is impacted.

Application owners should manage remediation efforts.
Verify exposed SAML endpoints and affected applications.
Plan for library updates during maintenance windows.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Relyra?

Relyra is a specialized software library built for the Elixir programming language and the Phoenix web framework. Developers use it as a Service Provider to handle SAML 2.0 authentication, which allows users to sign into web applications using external identity providers.

How does CVE-2026-49454 affect authentication?

This vulnerability involves improper cryptographic validation, specifically CWE-287 and CWE-347. Essentially, the library fails to check if a digital signature is genuine. Because the security check is skipped, the system may treat a fake authentication request as legitimate, allowing unauthorized access.

Can any SAML request trigger this bug?

The issue is triggered by presenting a forged SAML signature to the application. It is important to note that the library's failure is internal; it simply accepts the document structure without proving the signature bytes. Providing a valid, legitimate signature will not trigger the vulnerability, as the flaw specifically resides in the failure to reject invalid or forged data.

Why does Halo Surface Signal categorize this as external?

Halo Surface Signal identifies this as an external risk because Relyra handles SAML endpoints, which are typically exposed to the internet to enable seamless logins. Since the application cannot distinguish between real and fake signatures, any reachable login page becomes a potential target for impersonation.

What is the first step to secure my application?

Your primary action is to update your Relyra dependency to version 1.2.0 or later. Before applying the update, perform an inventory of your Elixir and Phoenix applications to locate all instances using the affected versions. Coordinate with your development team to test the update and ensure that SAML authentication flows remain functional.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.