Security Advisory: CSRF protection was not working if user logged using SAML2 or OIDC

Last modified 09 Feb 2024 14:12 +01:00

Date: 20. 9. 2023

Severity: High (CVSS 8.0)

Affected versions: All midPoint versions prior to 4.4.6, 4.7.2, 4.8

Fixed in versions: 4.8, 4.7.2, 4.4.6


CSRF vulnerability exists if midPoint is configured to use remote authentication using SAML 2 or OIDC and user was authorized using these providers. Users authenticated using built-in login form are not affected.

Severity and Impact

This is High Severity Issue

Normal built-in midPoint login is not affected, but it is possible to construct CSRF attack for logged-in user if remote authentication via SAML 2 or OIDC was used to log in.


Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release.

Discussion and Explanation

During remote authentication sequence token-based CSRF protection (provided by Spring Framework) needs to be disabled for session, but the issue was that it was not automatically re-enabled once authentication was completed. The fixed code contains improved conditions and token based CSRF is enforced once remote authentication is completed.

Was this page helpful?
Thanks for your feedback