How severe is GHSA-4v26-v6cg-g6f9?

GHSA-4v26-v6cg-g6f9 has a CVSS score of 8.2/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-4v26-v6cg-g6f9?

GHSA-4v26-v6cg-g6f9 affects the following packages: robrichards/xmlseclibs (Packagist). Ecosystems affected: Packagist.

How do I fix GHSA-4v26-v6cg-g6f9?

Update robrichards/xmlseclibs to 3.1.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4v26-v6cg-g6f9 is resolved across your whole dependency graph.

How do I detect GHSA-4v26-v6cg-g6f9 in my Packagist dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for robrichards/xmlseclibs. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-4v26-v6cg-g6f9 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-4v26-v6cg-g6f9?

O3 pinpoints whether GHSA-4v26-v6cg-g6f9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-4v26-v6cg-g6f9 actively exploited in the wild?

No public exploit code has been indexed for GHSA-4v26-v6cg-g6f9 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-4v26-v6cg-g6f9?

GHSA-4v26-v6cg-g6f9 has an EPSS (Exploit Prediction Scoring System) score of 0.2%, placing it in the 5th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

When was GHSA-4v26-v6cg-g6f9 published, and has it been updated?

GHSA-4v26-v6cg-g6f9 was published on March 13, 2026 and was last updated on March 16, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐘 Packagist

GHSA-4v26-v6cg-g6f9

HIGH

xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

Also known asCVE-2026-32313

Published

Mar 13, 2026

Updated

Mar 16, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.2%probability of exploitation in next 30 days

Lower Risk5th percentile+0.10%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐘robrichards/xmlseclibs

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key.

Details

When decrypting with either aes-128-gcm, aes-192-gcm, or aes-256-gcm here, the $authTag is set from a substr(), but never has its length validated (it should be validated with something like strlen($authTag) == self::AUTHTAG_LENGTH). For that reason, a shorter than expected data blob will allow for the $authTag to have as short a tag as only one byte (see PHP's documentation).

See this example:

function test($data) {
    $ivSize = 12;
    $tagSize = 16;

    $iv = substr($data, 0, $ivSize);
    $data = substr($data, $ivSize);
    $offset = 0 - $tagSize;
    $tag = substr($data, $offset);
    $ct = substr($data, 0, $offset);

    echo 'IV: "' . $iv . '"' . PHP_EOL;
    echo 'Tag: "' . $tag . '"' . PHP_EOL;
    echo 'CT: "' . $ct . '"' . PHP_EOL;
}

/* Outputs:
php > test('myNonceNoncet');
IV: "myNonceNonce"
Tag: "t"
CT: ""
php > test('myNonceNonceta');
IV: "myNonceNonce"
Tag: "ta"
CT: ""
php > test('myNonceNoncetag');
IV: "myNonceNonce"
Tag: "tag"
CT: ""
*/

With a legit ciphertext in hand, this is enough to recover the GHASH key. With that key, any authenticated tags can be computed offline which allows for decryption of the ciphertext and forgery of arbitrary ciphertexts.

PoC

Setup a server expecting XML with an encrypted assertion
- Run this php script poc.php with php -S 127.0.0.1:8888 (taken from this saml test case)
- The script expects this private key: sp-private-key.pem.
Create an XML document with an encrypted assertion (encrypted with aes-256-gcm)
- Here is the SAMLResponse used in the video below: saml_response.txt

Note: The steps from 3 to 6 are implemented in this exploit script: nonce_reuse_with_fmt_val_oracle.py. You can run the script with sage -python nonce_reuse_with_fmt_val_oracle.py -s 'url-encoded_and_base64-encoded_samlresponse'

Take the content of the <xenc:CipherValue> node and apply the following modifications
1. Base64-decode the content
2. Take the first 12 bytes and save them as the nonce
3. Take the last 16 bytes and save them as the tag
4. Now brute-force the tag of an empty ciphertext
  1. Loop through all 256 possible byte values (let's call that byte_tag_attempt)
  2. Concatenate together the nonce and the byte_tag_attempt
  3. Base64-encode the result
  4. Replace the content of the <xenc:CipherValue> node with this result
  5. On http errors 500, we learn that the tag is valid
  6. Do the same for the next byte of the tag until all 16 bytes have been brute-forced
With this new tag and the empty ciphertext, compute the GHASH key (the way to do this has been described in this blog post)
Use this GHASH key to compute authentication tags offline for arbitrary ciphertexts
Decryption is done by observing XML parsing errors that occur after modifying the ciphertext, those can be seen as http errors 500

poc.webm

Impact

The general impact is:

XML nodes encrypted with AES-GCM can be decrypted by observing parsing differences
XML nodes encrypted with AES-GCM can be modified to decrypt to an arbitrary value
The GCM internal GHASH key can be recovered

In cases where the encryption key is embedded in the XML and is encrypted with the Service Provider's public key (like often done with SAML), the last two items don't have a big impact. This is because:

With the Service Provider's public key, an arbitrary ciphertext can be created with a known symmetric key
The symmetric keys are generated on the fly every time the IdP creates a new SAMLResponse

In any case, secrets that are embedded in the XML, whether coming from an IdP, or from another scheme, can be decrypted.

Important: If static symmetric keys are used, as the GHASH key could have leaked, you must rotate those keys.

References

For additional information on the issue, you can refer to this blog post about the OpenSSL issue and how it can be exploited.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐘Packagist	`robrichards/xmlseclibs`	all versions	3.1.5

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for robrichards/xmlseclibs. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update robrichards/xmlseclibs to 3.1.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4v26-v6cg-g6f9 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4v26-v6cg-g6f9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-4v26-v6cg-g6f9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=%29%20is%20the-,hash%20key,-%2C%20a%20string%20of), and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. ### Details When decrypting with either aes-128-gcm, aes-192-gcm, or aes-256-gcm [here](https://github.com/robrichards/xmlseclibs/blob/2bdfd742624d739df

O3 Security · Impact-Aware SCA

Is GHSA-4v26-v6cg-g6f9 in your dependencies?

O3 detects GHSA-4v26-v6cg-g6f9 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works