Summary
The security advisory CVE-2026-49289 recommends upgrading to simplesamlphp/saml2-legacy 4.20.3. However, downstream projects are currently unable to adopt the patched version because simplesamlphp/xml-soap depends on simplesamlphp/xml-common ~1.25.x, while saml2-legacy 4.20.3 requires xml-common ^2.7.
This results in Composer dependency conflicts that prevent installation of the patched package.
Composer output
lando composer why-not simplesamlphp/xml-common 2.8.1
simplesamlphp/saml2 v5.0.6 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/xml-common (^1.24.2)
simplesamlphp/xml-security v1.13.9 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/xml-soap v1.7.1 requires simplesamlphp/xml-common (~1.25.0)
Request
Could the maintainers please advise:
- Are there plans to release a version of xml-soap that supports simplesamlphp/xml-common ^2.x?
- Is there a recommended migration path for downstream consumers who need to apply the CVE-2026-49289 security fix?
- If support for xml-common ^2.x is planned, is there an estimated timeline?
Any guidance would be greatly appreciated, as this dependency currently blocks downstream projects from upgrading to the patched saml2-legacy release.
Summary
The security advisory CVE-2026-49289 recommends upgrading to
simplesamlphp/saml2-legacy4.20.3. However, downstream projects are currently unable to adopt the patched version becausesimplesamlphp/xml-soapdepends onsimplesamlphp/xml-common~1.25.x, whilesaml2-legacy4.20.3 requiresxml-common^2.7.This results in Composer dependency conflicts that prevent installation of the patched package.
Composer output
lando composer why-not simplesamlphp/xml-common 2.8.1
simplesamlphp/saml2 v5.0.6 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/simplesamlphp v2.4.7 requires simplesamlphp/xml-common (^1.24.2)
simplesamlphp/xml-security v1.13.9 requires simplesamlphp/xml-common (~1.25.0)
simplesamlphp/xml-soap v1.7.1 requires simplesamlphp/xml-common (~1.25.0)
Request
Could the maintainers please advise:
Any guidance would be greatly appreciated, as this dependency currently blocks downstream projects from upgrading to the patched saml2-legacy release.