Cloud Foundry UAA SAML Authentication Bypass via Encrypted-but-Unsigned Assertions (CVE-2026-41005)
critical-cve-against-infra · active
Cloud Foundry UAA accepted SAML assertions that were encrypted but not signed, treating encryption as a substitute for an IdP signature. Because encryption uses the Service Provider's public key from published metadata, any party can craft ciphertext UAA will decrypt and accept, allowing an authentication bypass in affected SAML flows.