Skip to content

Support simplesamlphp/xml-common ^2.x to enable adoption of patched saml2-legacy 4.20.3 (CVE-2026-49289) #34

Description

@maheshv546

Summary

The security advisory CVE-2026-49289 recommends upgrading to simplesamlphp/saml2-legacy 4.20.3. However, downstream projects are currently unable to adopt the patched version because simplesamlphp/xml-soap depends on simplesamlphp/xml-common ~1.25.x, while saml2-legacy 4.20.3 requires xml-common ^2.7.

This results in Composer dependency conflicts that prevent installation of the patched package.

Composer output

lando composer why-not simplesamlphp/xml-common 2.8.1

simplesamlphp/saml2 v5.0.6 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/xml-common (^1.24.2)
simplesamlphp/xml-security v1.13.9 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/xml-soap v1.7.1 requires simplesamlphp/xml-common (~1.25.0)

Request

Could the maintainers please advise:

  • Are there plans to release a version of xml-soap that supports simplesamlphp/xml-common ^2.x?
  • Is there a recommended migration path for downstream consumers who need to apply the CVE-2026-49289 security fix?
  • If support for xml-common ^2.x is planned, is there an estimated timeline?

Any guidance would be greatly appreciated, as this dependency currently blocks downstream projects from upgrading to the patched saml2-legacy release.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions