GHSA-pcgw-qcv5-h8ch: Unsigned SAML LogoutRequest Acceptance in gosaml2

March 18, 2026

The ValidateEncodedLogoutRequestPOST function in gosaml2 accepts completely unsigned SAML LogoutRequest messages even when SkipSignatureValidation is set to false. When validateElementSignature returns dsig.ErrMissingSignature, the code in decode_logout_request.go:60-62 silently falls through to process the unverified XML element instead of rejecting it. An attacker who can reach the SP’s Single Logout endpoint can forge a LogoutRequest for any user, terminating their session without possessing the IdP’s signing key.

References

github.com/advisories/GHSA-pcgw-qcv5-h8ch
github.com/russellhaering/gosaml2
github.com/russellhaering/gosaml2/security/advisories/GHSA-pcgw-qcv5-h8ch

Code Behaviors & Features

Detect and mitigate GHSA-pcgw-qcv5-h8ch with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →