Shibboleth Identity Provider Security Advisories

Posted on Tuesday, 2 June 2026

The UK federation recommends adhering to best practices by routinely managing patches for the Shibboleth Identity Provider (IdP). This includes subscribing to future security notifications: Shibboleth Announce.

Following the recent security advisories [1,2] from the Shibboleth Consortium regarding the IdP, you should update your IdP software to the latest version within your existing patching schedules.

Please ensure your software versions are patched promptly. If you have any questions or queries then please do contact the UK federation service desk.

Trust and Identity consultancy customers are free to contact us to schedule an upgrade under their existing Retained Expertise agreements.

[1] Excessive resource consumption - an issue which could lead to excessive resource consumption, potentially causing the system to become unstable or fall over, recoverable with a simple service restart.

[2] SMTP injection - an issue around SMTP injection vector which is unlikely to be in use by the UK federation userbase. Updating will help mitigate any potential exploits.

Edited by IainMacaulay ? on 02 June 2026, at 10:20 AM