CVE-2020-26290

critical

Description

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

References

Advisories

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md

https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5

https://github.com/dexidp/dex/releases/tag/v2.27.0

https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8

Details

Source: Mitre, NVD

Published: 2020-12-28

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.6

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.005