Do Son 
A critical Cloud Foundry UAA vulnerability has emerged, and it lets attackers slip past SAML logins entirely. Tracked as CVE-2026-41005, the flaw carries a serious CVSS score of 9.0.
Encryption Mistaken for Trust
The root cause is a subtle logic error. The User Account and Authentication (UAA) component treated XML encryption as proof of authenticity. However, encryption only protects confidentiality, not origin.
In practice, UAA accepted assertions that were encrypted yet never signed. Because the encryption uses the Service Provider’s public key from published metadata, anyone can craft valid ciphertext. As a result, a successful decryption does not prove a trusted Identity Provider sent the message.
Therefore, an attacker can forge SAML assertions and gain access. The weakness affects two flows: the OAuth 2.0 SAML2 bearer grant and browser SSO when assertion signing is disabled.
Wide Version Range Affected
This Cloud Foundry UAA vulnerability spans a huge release window. Every uaa_release from v2.0.0 through v78.13.0 is exposed. In addition, CF Deployment builds up to v56.1.0 carry the same risk.
Patch Guidance
Administrators should upgrade without delay. Notably, version 78.14.0 has known issues, so teams should jump straight to uaa_release v78.15.0 or later. Similarly, CF Deployment users should move to v57.0.0 or greater, which bundles uaa_release v78.16.0.
Disabling unsigned assertion acceptance also helps as a stopgap. Still, patching remains the only complete fix.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
