Cloud Foundry UAA Bypass: Unsigned SAML Exposes Identity Tokens

The National Vulnerability Database has disclosed CVE-2026-22734, a critical bypass vulnerability in Cloud Foundry UAA. This isn’t just a bug; it’s a fundamental flaw in how UAA handles SAML 2.0 bearer assertions when they are enabled for a client. Specifically, the UAA accepts these assertions without requiring them to be either signed or encrypted.

This is a glaring security oversight. In an enterprise context, identity providers (IdPs) like UAA are the gates to critical systems. Allowing unsigned, unencrypted SAML assertions is akin to leaving the front door unlocked with a ‘come on in’ sign. An attacker can craft a malicious SAML assertion, bypass authentication, and obtain a valid token for any user. This grants unfettered access to all UAA-protected systems.

The attacker’s calculus here is straightforward and highly attractive. They don’t need to exploit a complex remote code execution vulnerability. They simply need to understand the SAML assertion structure and the UAA’s flawed validation logic. With a forged assertion, they can impersonate any user, including administrators, and move laterally across the entire connected ecosystem.

This vulnerability impacts UAA versions from v77.30.0 to v78.7.0 (inclusive) and CF Deployment versions from v48.7.0 to v54.14.0 (inclusive). The CVSS v3.1 score of 8.6 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N underscores the severity. The ‘C:H’ (Confidentiality High) is particularly concerning, indicating a complete loss of confidentiality.

This isn’t just about patching; it’s about re-evaluating the fundamental trust assumptions in your identity infrastructure. The underlying issue, categorized as CWE-290 (Authentication Bypass by Spoofing), highlights a broader pattern of neglecting cryptographic integrity in critical authentication flows. Defenders need to recognize that identity systems are prime targets, and any weakness in their cryptographic validation is an open invitation for compromise.

CISOs must understand that this isn’t a theoretical risk. It’s a direct path to total system compromise. An attacker leveraging this vulnerability can gain access to sensitive data, manipulate configurations, and establish persistence, all while appearing to be a legitimate user.