Nozomi Guardian and CMC SAML Single Sign-On Open Redirect Vulnerability
An Open Redirect vulnerability was discovered in the SAML Single Sign-On functionality due to insufficient validation of a user-controlled redirection parameter. An unauthenticated attacker can craft a request to the SAML sign-in endpoint and poison the cached SAML redirection for other users who subsequently initiate SAML Single Sign-On, enabling phishing and credential-theft attacks, as well as disrupting SAML authentication for all affected users.
Quick answer
Nozomi Networks Guardian and CMC should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Nozomi Networks Guardian before 26.2.0
- Nozomi Networks CMC before 26.2.0
Fixed versions
- 26.2.0
How to fix it
Nozomi Guardian and CMC before 26.2.0 is affected by CVE-2026-31982. SAML SSO redirect validation can be poisoned for later users, enabling phishing and authentication disruption. Upgrade to 26.2.0, verify SAML redirect allowlists, and review SSO logs for poisoned redirect attempts.
- Inventory affected Nozomi Guardian and CMC deployments and record appliance, sensor, and collector versions.
- Upgrade affected systems from before 26.2.0 to 26.2.0 or later.
- Apply the vendor mitigation if an immediate upgrade cannot be completed.
- Restrict management, synchronization, SAML, and collector interfaces to trusted networks only.
- Review users, roles, sync tokens, certificates, and recent configuration changes for suspicious activity.
- Back up known-good configuration before remediation and after the patched state is confirmed.
- Monitor appliance health, audit logs, and authentication events for repeated exploit attempts.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Nozomi Guardian and CMC is running 26.2.0 or later where applicable.
- Retest the affected workflow in staging or a maintenance window and confirm the vulnerable behavior is blocked.
- Review audit logs after remediation for failed attempts against the affected endpoint or feature.
- Confirm legitimate synchronization, SAML, SSH key, or visualization workflows still work as expected.
- Run a Fixnx scan and confirm public management interfaces are not exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-31982?
Nozomi Networks Guardian and CMC versions listed as affected should be reviewed: Nozomi Networks Guardian before 26.2.0, Nozomi Networks CMC before 26.2.0.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
