Intel

AIKIDO-2026-171680

litesaml/lightsaml is vulnerable to Use of a Broken or Risky Cryptographic Algorithm

Use of a Broken or Risky Cryptographic Algorithm Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

37

Low Risk

This Affects:

PHPlitesaml/lightsaml
0.1.0 - 4.6.1
Fixed in 4.7.0
Are you affected? Scan for Free

TL;DR

litesaml/lightsaml defaults to the SHA1 algorithm when signing outbound SAML messages, both in KeyHelper::createPrivateKey() and in the SignatureWriter digest algorithm. Messages such as AuthnRequest and SAML responses are therefore signed with a deprecated, collision-prone hash unless the caller explicitly selects a stronger algorithm. This weakens the integrity guarantees of the XML signatures the library produces and lets them be accepted by relying parties that still trust SHA1. The fix changes the default signing and digest algorithm to SHA256.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you rely on the library's default algorithm to sign outbound SAML messages.

Background info

litesaml/lightsaml is vulnerable to Use of a Broken or Risky Cryptographic Algorithm in versions 0.1.0 - 4.6.1.

How to fix this

Upgrade the litesaml/lightsaml library to the patch version.