Review: SAML SSO - Service Provider Reflected XSS in Drupal (SA-CONTRIB-2026-018)
The Hook SA-CONTRIB-2026-018 is a high-priority reflected XSS issue in an identity-adjacent module: attacker-controlled input can be reflected back into browser execution paths if not sanitized.
What Happened
The Drupal Security Team published SA-CONTRIB-2026-018 on February 25, 2026 for the SAML SSO - Service Provider module (drupal/miniorange_saml). The advisory is marked critical and classified as a reflected cross-site scripting (XSS) vulnerability.
The root issue: the module does not sufficiently sanitize user input, which allows reflected XSS via crafted requests.
Affected Scope
- Affected versions:
< 3.1.3 - Fixed version:
3.1.3 - CVE:
CVE-2026-3217 - Advisory ID:
SA-CONTRIB-2026-018
Why This Matters for Drupal 10/11 and Drupal CMS This module sits in authentication flow. Reflected XSS here is especially sensitive because SSO endpoints are high-trust surfaces that users interact with during login and handoff. Even when exploitation needs user interaction, the blast radius is larger than in typical content-only routes.
Fast Triage Checklist
- Check installed version:
composer show drupal/miniorange_saml
- Patch immediately if running
<3.1.3:composer require drupal/miniorange_saml:^3.1.3
- Clear caches and rebuild router after update:
drush cr
- Review SSO-related permissions and exposed authentication routes:
drush role:perm | grep -Ei "saml|sso|miniorange"
- Run focused regression checks:
- Validate SP-initiated login and IdP-initiated login still complete successfully.
- Confirm error/query parameters shown on auth endpoints are escaped in rendered output.
Bottom Line
If your site uses SAML SSO - Service Provider and is below 3.1.3, treat this as active patch work, not backlog work. Upgrade first, then review SSO route exposure and role permissions around authentication tooling.