diff --git a/server/build.gradle b/server/build.gradle
index 5d62fec5d2e..120d1b4b058 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -27,6 +27,7 @@ dependencies {
     }
     implementation(libraries.springSecuritySaml) {
         exclude(module: "bcprov-ext-jdk15on")
+        exclude(module: "xalan") // exclude vulnerable xalan 2.7.2 (see: CVE-2022-34169)
     }
     implementation(libraries.springSessionJdbc)
 
diff --git a/uaa/build.gradle b/uaa/build.gradle
index 65e9768f704..2f8a45d55d8 100644
--- a/uaa/build.gradle
+++ b/uaa/build.gradle
@@ -80,7 +80,9 @@ dependencies {
     testImplementation(libraries.springTest)
     testImplementation(libraries.springSecurityJwt)
     testImplementation(libraries.springSecurityLdap)
-    testImplementation(libraries.springSecuritySaml)
+    testImplementation(libraries.springSecuritySaml) {
+        exclude(module: "xalan") // exclude vulnerable xalan 2.7.2 (see: CVE-2022-34169)
+    }
     testImplementation(libraries.springSecurityTest)
     testImplementation(libraries.mockito)
     testImplementation(libraries.tomcatJdbc)