CVE-2026-32313: xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption
XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key.
References
- github.com/advisories/GHSA-4v26-v6cg-g6f9
- github.com/robrichards/xmlseclibs
- github.com/robrichards/xmlseclibs/commit/03062be78178cbb5e8f605cd255dc32a14981f92
- github.com/robrichards/xmlseclibs/releases/tag/3.1.5
- github.com/robrichards/xmlseclibs/security/advisories/GHSA-4v26-v6cg-g6f9
- nvd.nist.gov/vuln/detail/CVE-2026-32313
Code Behaviors & Features
Detect and mitigate CVE-2026-32313 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →