diff --git a/lib/Helper/TXmlHelper.php b/lib/Helper/TXmlHelper.php
index 609067631..9bcd9d987 100644
--- a/lib/Helper/TXmlHelper.php
+++ b/lib/Helper/TXmlHelper.php
@@ -14,8 +14,11 @@ trait TXmlHelper {
 	 */
 	public function callWithXmlEntityLoader(callable $func): mixed {
 		libxml_set_external_entity_loader(static fn ($public, $system) => $system);
-		$result = $func();
-		libxml_set_external_entity_loader(static fn () => null);
+		try {
+			$result = $func();
+		} finally {
+			libxml_set_external_entity_loader(static fn () => null);
+		}
 		return $result;
 	}
 }
diff --git a/lib/UserBackend.php b/lib/UserBackend.php
index 3ee34fc41..24bc18a58 100644
--- a/lib/UserBackend.php
+++ b/lib/UserBackend.php
@@ -101,6 +101,18 @@ public function createUserIfNotExists(string $uid, array $attributes = []): void
 						$this->serverRoot . '/data') . '/' . $home;
 				}
 
+				// Reject paths containing directory traversal sequences
+				$normalizedHome = str_replace('\\', '/', $home);
+				if (str_contains($normalizedHome, '/../') || str_ends_with($normalizedHome, '/..')) {
+					$this->logger->warning(
+						'Rejecting home path from SAML attribute containing directory traversal sequence',
+						['app' => 'user_saml', 'home' => $home]
+					);
+					$home = '';
+				}
+			}
+
+			if ($home !== '') {
 				$values['home'] = $home;
 			}