The Shibboleth Project has released a security advisory that involves the Dynamic MetadataProvider feature in the Service Provider. A patch update, V2.6.1, is available that corrects the issue.