Skip to content

Dependency constraints prevent upgrade to patched saml2-legacy 4.20.3 (CVE-2026-49289) #418

Description

@maheshv546

Summary

The recently disclosed CVE-2026-49289 recommends upgrading to simplesamlphp/saml2-legacy 4.20.3. However, downstream projects cannot perform the upgrade because the dependency graph still requires simplesamlphp/xml-common 1.x, while the patched release requires xml-common ^2.7.

This blocks consumers from applying the security fix.

Environment

  • Drupal-based application
  • simplesamlphp/simplesamlphp v2.4.7
  • simplesamlphp/saml2 v5.0.6
  • Composer

Problem

Attempting to upgrade to:

simplesamlphp/saml2-legacy 4.20.3

is blocked by Composer due to incompatible dependency requirements.

Composer output

lando composer why-not simplesamlphp/saml2-legacy 4.20.3

simplesamlphp/saml2-legacy v4.20.3 requires simplesamlphp/xml-common (^2.7)
simplesamlphp/saml2-legacy v4.20.3 requires webmozart/assert (^2.0)

Further investigation shows:

lando composer why-not simplesamlphp/xml-common 2.8.1

simplesamlphp/saml2 v5.0.6 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/xml-common (^1.24.2)
simplesamlphp/xml-security v1.13.9 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/xml-soap v1.7.1 requires simplesamlphp/xml-common (~1.25.0)

Similarly:

lando composer why-not simplesamlphp/saml2 6.2.2

simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/saml2 (^5.0.0)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/assert (~2.0)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-common (~2.8)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-security (~2.3)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-soap (~2.3)

Expected behavior

It would be helpful to have a supported upgrade path that enables downstream users to remediate CVE-2026-49289 without requiring a full upgrade across the entire SimpleSAMLphp dependency ecosystem.

Could the maintainers please advise:

  • Is there a recommended migration path for users on the current 5.x dependency chain?
  • Is backporting support for xml-common ^2.x to the supported branch feasible?
  • Are there plans for coordinated releases across the related packages to ease migration?

Any guidance would be appreciated, as this currently prevents adoption of the security fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions