External risk intelligence

Prowler SAML Authentication Weakness Allows Cross-Tenant Account Takeover.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-59151

The vulnerability exists in a SAML authentication flow within a cloud security platform. Such platforms often serve as centralized, internet-accessible gateways or management interfaces for cloud environments, making the authentication endpoint a common point of exposure for external users or administrators.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Prowler, a cloud security platform, could allow an authenticated attacker to gain unauthorized access to different tenants within the platform by manipulating SAML authentication. This could lead to account takeover and compromise sensitive data across these tenants.

  • Malicious login to access wrong tenant data.
  • Cross-tenant access risks sensitive information.
  • Verify Prowler usage and access controls.

Attack Path

How an attacker could exploit the issue

An attacker with control over a SAML Identity Provider could exploit this vulnerability to impersonate users of a different tenant within the Prowler cloud security platform. By manipulating the SAML response to assert an email address from a domain belonging to a different tenant than the one configured for the SAML flow, the attacker can trick Prowler into issuing authentication tokens for the wrong tenant, leading to unauthorized access and account takeover. This attack targets the platform's SAML authentication mechanism, specifically how it validates and processes SAML responses to determine tenant scope.

  • Authenticated attacker with controlled IdP.
  • SAML flow with crafted email domain assertion.
  • Cross-tenant account takeover.

Live Threat

Current exploitation, exposure, and threat context

An authenticated attacker with a controlled SAML IdP could manipulate the authentication flow to impersonate users of other tenants. This could lead to unauthorized access to sensitive cloud security configurations and operational data.

  • Tenant data and access controls.
  • Via SAML assertion manipulation.
  • Cross-tenant account takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

Determining the exact ownership of this vulnerability requires understanding your specific deployment of Prowler. Generally, the platform team responsible for managing cloud security tools and potentially the infrastructure team that deployed Prowler would be involved. The first practical move is to identify all instances of Prowler, assess their accessibility and criticality, and confirm the specific tenant configurations and associated business impact.

  • Platform or infrastructure teams should own.
  • Verify Prowler tenant configurations and reachability.
  • Plan remediation based on exposure and criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Prowler?

Prowler is a cloud security platform designed to help organizations assess, audit, and monitor their cloud environments. It provides visibility into security configurations and compliance postures. It is frequently used by security and infrastructure teams to identify risks across various cloud services, often serving as a central hub for managing cloud security data.

How does CVE-2026-59151 affect authentication?

This vulnerability involves Improper Authentication (CWE-287). The software incorrectly relies on the email domain provided in a SAML response to determine which tenant should receive an authentication token. Because the system fails to properly bind the token issuance to the validated SAML configuration, it can be tricked into granting access to the wrong tenant.

What triggers this authentication flaw?

An attacker must have control over a SAML Identity Provider to initiate a malicious login flow. By crafting a SAML response that asserts an email address belonging to a different tenant, the attacker can force the system to miscalculate the tenant scope. Simply accessing the login page without controlling a SAML provider does not trigger this issue.

Why is this vulnerability a concern for my organization?

According to Halo Surface Signal, Prowler installations often act as internet-accessible gateways for managing cloud environments. This makes their authentication endpoints highly visible. If your instance is exposed to the internet, it provides a broader surface for an attacker to reach and potentially exploit the SAML flow to access sensitive cross-tenant data.

Do I need to update my Prowler installation?

Yes, if you are running a version earlier than 5.30.3, you should update. Begin by identifying all instances of Prowler in your environment and confirming their current versions. After verifying your deployment, prioritize patching to ensure the SAML authentication logic is corrected and to prevent unauthorized cross-tenant access.

References