DEV Community

Cover image for SA-CONTRIB-2026-018: SAML SSO Reflected XSS — Script Injection on Your Login Page
victorstackAI
victorstackAI

Posted on • Originally published at victorstack-ai.github.io

SA-CONTRIB-2026-018: SAML SSO Reflected XSS — Script Injection on Your Login Page

#drupal #wordpress #security #drupalcms

SA-CONTRIB-2026-018 is a critical reflected XSS in an identity-adjacent module. Attacker-controlled input reflects back into browser execution paths on SSO endpoints — the exact surfaces users trust during login.

🚨 Danger: Critical — XSS on Authentication Endpoints

CVE-2026-3217 allows reflected cross-site scripting on SAML SSO login endpoints. If you run drupal/miniorange_saml below 3.1.3, crafted URLs can execute scripts in users' browsers during the authentication flow. Patch immediately.

Severity Snapshot

SA ID CVE Severity Affected Versions Patched Version Action
SA-CONTRIB-2026-018 CVE-2026-3217 Critical < 3.1.3 3.1.3 Patch immediately

What Happened

The Drupal Security Team published SA-CONTRIB-2026-018 on February 25, 2026 for the SAML SSO - Service Provider module (drupal/miniorange_saml). The advisory is marked critical and classified as reflected cross-site scripting.

The root issue: the module does not sufficiently sanitize user input, which allows reflected XSS via crafted requests to authentication endpoints.

flowchart TD
    A[Attacker crafts malicious URL targeting SSO endpoint] --> B[Victim clicks link — expects login page]
    B --> C{Input sanitized by module?}
    C -->|No — version < 3.1.3| D[Reflected XSS executes in victim's browser]
    D --> E[Session tokens / credentials at risk]
    E --> F[Account takeover possible]
    C -->|Yes — version >= 3.1.3| G[Input escaped — attack neutralized]
Enter fullscreen mode Exit fullscreen mode

"The module does not sufficiently sanitize user input, which allows reflected XSS via crafted requests."

— Drupal Security Team, SA-CONTRIB-2026-018

Why This Matters

This module sits in the authentication flow. Reflected XSS on SSO endpoints is especially dangerous because:

  1. High-trust surface. Users expect login pages to be safe. They click links to them without suspicion.
  2. Session context. Scripts executing during authentication can capture credentials, tokens, or redirect flows.
  3. Blast radius. Even though exploitation requires user interaction, the login page is the one URL every user visits.

💡 Tip: Fast Version Check

Run composer show drupal/miniorange_saml to check your installed version. If it shows anything below 3.1.3, patch now.

Triage Checklist

  • [ ] Check installed version: composer show drupal/miniorange_saml
  • [ ] Verify version is below 3.1.3
  • [ ] Apply patch: composer require drupal/miniorange_saml:^3.1.3
  • [ ] Clear caches and rebuild router: drush cr
  • [ ] Review SSO-related permissions: drush role:perm | grep -Ei "saml|sso|miniorange"
  • [ ] Test SP-initiated and IdP-initiated login flows
  • [x] Confirm error/query parameters on auth endpoints are escaped in rendered output

```bash title="Terminal — patch SAML SSO"
composer require drupal/miniorange_saml:^3.1.3
drush cr






```bash title="Terminal — audit SSO permissions"
drush role:perm | grep -Ei "saml|sso|miniorange"
Enter fullscreen mode Exit fullscreen mode

Full advisory details

  • Project: SAML SSO - Service Provider (drupal/miniorange_saml)
  • Advisory: SA-CONTRIB-2026-018
  • CVE: CVE-2026-3217
  • Published: 2026-02-25
  • Risk: Critical
  • Type: Reflected cross-site scripting (XSS)
  • Affected versions: &lt; 3.1.3
  • Fixed version: 3.1.3

Why this matters for Drupal and WordPress

miniOrange publishes SAML SSO plugins for both Drupal and WordPress, and reflected XSS on authentication endpoints is platform-agnostic in its impact. WordPress sites using miniOrange SAML, OneLogin, or any SSO plugin should verify that query parameters and error messages on login callback URLs are properly escaped. Enterprise and higher-education deployments on both platforms frequently rely on SAML for federated identity, making authentication-surface XSS one of the highest-impact vulnerability classes in the CMS ecosystem.

Bottom Line

If your site uses SAML SSO - Service Provider and is below 3.1.3, this is not backlog work. XSS on authentication endpoints is the highest-impact reflected XSS you can have — it targets the one page every user visits with full trust. Patch first, then verify login flows and review SSO route exposure.

References

Looking for an Architect who doesn't just write code, but builds the AI systems that multiply your team's output? View my enterprise CMS case studies at victorjimenezdev.github.io or connect with me on LinkedIn.

Looking for an Architect who doesn't just write code, but builds the AI systems that multiply your team's output? View my enterprise CMS case studies at victorjimenezdev.github.io or connect with me on LinkedIn.

Originally published at VictorStack AI — Drupal & WordPress Reference

Top comments (0)