Security Advisory - Published 2026-06-12 - Node.js / SAML SSO
samlify CVE-2026-46490: SAML XML injection self-check
CVE-2026-46490 affects samlify before 2.13.0. The practical risk is not
a generic Node.js crash. It matters when your SAML login flow builds signed assertions
from user-controlled attributes and the service provider uses SAML attributes such as
roles or groups for authorization.
Who is affected
- Package:
samlifyon npm - Affected versions: versions before 2.13.0
- Fixed version: 2.13.0 or newer
- Typical exposure: Node.js IdP/SP integrations that trust SAML roles, groups, tenant IDs, or admin flags.
Dependency check
npm ls samlify
pnpm why samlify
yarn why samlify Check both direct and transitive usage. Some applications wrap SAML login in a shared authentication package, so the vulnerable dependency may live in an internal library rather than the main application.
Code paths to review
- SAML login handlers that call
parseLoginResponseor build SAML assertions. - IdP templates that place user profile values into SAML attribute values.
- Service-provider code that grants roles, groups, tenant access, or admin status from SAML attributes.
- Account profile fields that ordinary users can edit and that later flow into SAML assertions.
Log checks
- Recent SSO logins where a normal user received a new role, group, tenant, or admin-like claim.
- Unusual role or group changes immediately after SAML login events.
- Authentication errors around malformed SAML responses, assertion parsing, or attribute parsing.
- Profile changes to email, display name, department, or custom identity fields shortly before privileged login.
Safe fix path
- Upgrade
samlifyto 2.13.0 or newer and redeploy every service that bundles it. - Regenerate the lockfile and confirm no older copy remains in production images or serverless bundles.
- Treat SAML attributes as input. Map roles and groups through an allowlist instead of trusting arbitrary claim names.
- Audit recent privileged sessions if SAML attributes decide authorization.
- Coordinate with the IdP owner before changing claim names, because login may break for downstream apps.
When to request help
- You run a custom Node.js SAML identity provider or service provider.
- Admin access, tenant access, or billing permissions depend on SAML roles or groups.
- The application has multiple SPs and you cannot tell which ones bundle samlify.
- You need to patch without locking users out of SSO.
Ping7 repair path
Ping7 can review Node.js lockfiles, SAML login code, IdP/SP metadata, role mapping, production bundle versions, and post-patch login behavior. Start from CVE Repair and include the package manager, SSO provider, and whether roles or groups come from SAML attributes.