SA-CONTRIB-2026-018: SAML SSO Reflected XSS — Script Injection on Your Login Page
Source: Dev.to
Overview
SA‑CONTRIB‑2026‑018 is a critical reflected XSS vulnerability in the SAML SSO – Service Provider module (drupal/miniorange_saml).
CVE‑2026‑3217 allows an attacker to inject scripts into SSO login endpoints via crafted URLs. The vulnerability affects all versions.
“The module does not sufficiently sanitize user input, which allows reflected XSS via crafted requests.” — Drupal Security Team, SA‑CONTRIB‑2026‑018
Exploit Flow
flowchart TD
A[Attacker crafts malicious URL targeting SSO endpoint] --> B[Victim clicks link — expects login page]
B --> C{Input sanitized by module?}
C -->|No — version E[Session tokens / credentials at risk]
E --> F[Account takeover possible]
C -->|Yes — version ≥ 3.1.3| G[Input escaped — attack neutralized]Impact
- High‑trust surface: Users inherently trust login pages, making them prime targets.
- Session context: Scripts running during authentication can capture credentials, tokens, or manipulate redirects.
- Blast radius: The login page is visited by every user, so successful exploitation can affect the entire user base.
Remediation
-
Check installed version
composer show drupal/miniorange_saml -
Upgrade to the patched version (≥ 3.1.3)
composer require drupal/miniorange_saml:^3.1.3 -
Clear caches and rebuild the router
drush cr -
Review SSO‑related permissions
drush role:perm | grep -Ei "saml|sso|miniorange" -
Test both SP‑initiated and IdP‑initiated login flows to ensure parameters are properly escaped.
Full Advisory Details
- Project: SAML SSO – Service Provider (
drupal/miniorange_saml) - Advisory: SA‑CONTRIB‑2026‑018
- CVE: CVE‑2026‑3217
- Published: 2026‑02‑25
- Risk: Critical
- Type: Reflected cross‑site scripting (XSS)
- Affected versions:
< 3.1.3 - Fixed version:
3.1.3
Why This Matters for Drupal and WordPress
miniOrange publishes SAML SSO plugins for both Drupal and WordPress. Reflected XSS on authentication endpoints is platform‑agnostic and can affect any site that uses these plugins. Enterprises and higher‑education institutions that rely on SAML for federated identity should verify that all query parameters and error messages on login callback URLs are properly escaped.
If your site uses the SAML SSO – Service Provider module and is below version 3.1.3, this is not backlog work; it is an immediate security priority. Patch first, then verify login flows and review SSO route exposure.