CVE-2026-59151
prowler-cloud · prowler
Prowler is vulnerable to cross-tenant account takeover due to improper validation of SAML assertions within its authentication flow.
Executive summary
A critical authentication flaw in Prowler allows authenticated users to bypass tenant restrictions and perform cross-tenant account takeover via manipulated SAML responses.
Vulnerability
The application incorrectly trusts the email domain provided in a SAMLResponse to determine tenant scope, allowing an authenticated attacker to assert an email from a different domain and receive tokens for an unauthorized tenant.
Business impact
With a CVSS score of 9.6, this vulnerability represents a high risk of unauthorized cross-tenant data access. Successful exploitation could allow attackers to access sensitive cloud security configurations and findings belonging to other tenants, leading to significant data exposure and potential compliance violations.
Remediation
Immediate Action: Update the Prowler deployment to version 5.30.3 or later to enforce correct SAML configuration binding.
Proactive Monitoring: Review authentication logs and SAML token issuance records for any discrepancies between the asserted identity and the intended tenant scope.
Compensating Controls: Ensure that the identity provider (IdP) is strictly configured to prevent the assertion of unauthorized email domains if immediate patching is not possible.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability undermines the multi-tenant security architecture of Prowler. It is critical to perform the update to version 5.30.3 immediately to ensure that SAML authentication is correctly bound to authorized tenants and to prevent potential cross-tenant compromise.