CVE-2026-32313

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 3.1.5.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/robrichards/xmlseclibs/commit/03062be78178cbb5e8f605cd255dc32a14981f92	Patch
https://github.com/robrichards/xmlseclibs/releases/tag/3.1.5	Product
https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-4v26-v6cg-g6f9	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-16 14:19

Updated : 2026-03-17 19:25

NVD link : CVE-2026-32313

Mitre link : CVE-2026-32313

CVE.ORG link : CVE-2026-32313

JSON object : View

Products Affected

xmlseclibs_project

xmlseclibs

CWE

CWE-354

Improper Validation of Integrity Check Value

{"id": "CVE-2026-32313", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2026-03-16T14:19:33.837", "references": [{"url": "https://github.com/robrichards/xmlseclibs/commit/03062be78178cbb5e8f605cd255dc32a14981f92", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/robrichards/xmlseclibs/releases/tag/3.1.5", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-4v26-v6cg-g6f9", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-354"}]}], "descriptions": [{"lang": "en", "value": "xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 3.1.5."}, {"lang": "es", "value": "xmlseclibs es una biblioteca escrita en PHP para trabajar con Cifrado y Firmas XML. Antes de la versi\u00f3n 3.1.5, los nodos XML cifrados con aes-128-gcm, aes-192-gcm o aes-256-gcm carecen de validaci\u00f3n de la longitud de la etiqueta de autenticaci\u00f3n. Un atacante puede usar esto para forzar por fuerza bruta una etiqueta de autenticaci\u00f3n, recuperar la clave GHASH y descifrar los nodos cifrados. Tambi\u00e9n permite falsificar textos cifrados arbitrarios sin conocer la clave de cifrado. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 3.1.5."}], "lastModified": "2026-03-17T19:25:41.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "430BF09C-4127-4E88-B410-360059F4A814", "versionEndExcluding": "3.1.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}