Summary
The recently disclosed CVE-2026-49289 recommends upgrading to simplesamlphp/saml2-legacy 4.20.3. However, downstream projects cannot perform the upgrade because the dependency graph still requires simplesamlphp/xml-common 1.x, while the patched release requires xml-common ^2.7.
This blocks consumers from applying the security fix.
Environment
- Drupal-based application
- simplesamlphp/simplesamlphp v2.4.7
- simplesamlphp/saml2 v5.0.6
- Composer
Problem
Attempting to upgrade to:
simplesamlphp/saml2-legacy 4.20.3
is blocked by Composer due to incompatible dependency requirements.
Composer output
lando composer why-not simplesamlphp/saml2-legacy 4.20.3
simplesamlphp/saml2-legacy v4.20.3 requires simplesamlphp/xml-common (^2.7)
simplesamlphp/saml2-legacy v4.20.3 requires webmozart/assert (^2.0)
Further investigation shows:
lando composer why-not simplesamlphp/xml-common 2.8.1
simplesamlphp/saml2 v5.0.6 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/xml-common (^1.24.2)
simplesamlphp/xml-security v1.13.9 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/xml-soap v1.7.1 requires simplesamlphp/xml-common (~1.25.0)
Similarly:
lando composer why-not simplesamlphp/saml2 6.2.2
simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/saml2 (^5.0.0)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/assert (~2.0)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-common (~2.8)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-security (~2.3)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-soap (~2.3)
Expected behavior
It would be helpful to have a supported upgrade path that enables downstream users to remediate CVE-2026-49289 without requiring a full upgrade across the entire SimpleSAMLphp dependency ecosystem.
Could the maintainers please advise:
- Is there a recommended migration path for users on the current 5.x dependency chain?
- Is backporting support for
xml-common ^2.x to the supported branch feasible?
- Are there plans for coordinated releases across the related packages to ease migration?
Any guidance would be appreciated, as this currently prevents adoption of the security fix.
Summary
The recently disclosed CVE-2026-49289 recommends upgrading to
simplesamlphp/saml2-legacy4.20.3. However, downstream projects cannot perform the upgrade because the dependency graph still requiressimplesamlphp/xml-common1.x, while the patched release requiresxml-common^2.7.This blocks consumers from applying the security fix.
Environment
Problem
Attempting to upgrade to:
simplesamlphp/saml2-legacy 4.20.3
is blocked by Composer due to incompatible dependency requirements.
Composer output
lando composer why-not simplesamlphp/saml2-legacy 4.20.3
simplesamlphp/saml2-legacy v4.20.3 requires simplesamlphp/xml-common (^2.7)
simplesamlphp/saml2-legacy v4.20.3 requires webmozart/assert (^2.0)
Further investigation shows:
lando composer why-not simplesamlphp/xml-common 2.8.1
simplesamlphp/saml2 v5.0.6 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/xml-common (^1.24.2)
simplesamlphp/xml-security v1.13.9 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/xml-soap v1.7.1 requires simplesamlphp/xml-common (~1.25.0)
Similarly:
lando composer why-not simplesamlphp/saml2 6.2.2
simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/saml2 (^5.0.0)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/assert (~2.0)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-common (~2.8)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-security (~2.3)
simplesamlphp/saml2 v6.2.2 requires simplesamlphp/xml-soap (~2.3)
Expected behavior
It would be helpful to have a supported upgrade path that enables downstream users to remediate CVE-2026-49289 without requiring a full upgrade across the entire SimpleSAMLphp dependency ecosystem.
Could the maintainers please advise:
xml-common^2.x to the supported branch feasible?Any guidance would be appreciated, as this currently prevents adoption of the security fix.