Skip to main content

SimpleSAMLphp CAS module CVE-2026-46491

HIGH
Path Traversal (CWE-22)
2026-05-15 https://github.com/simplesamlphp/simplesamlphp-module-casserver GHSA-jrrg-99xh-5j2q
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 15, 2026 - 19:00 vuln.today
Analysis Generated
May 15, 2026 - 19:00 vuln.today

DescriptionNVD

Summary

simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store.

In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type.

Preconditions

The demonstrated issue requires:

  • the casserver module to be enabled;
  • the file-based ticket store to be configured (FileSystemTicketStore);
  • public CAS validation/proxy endpoints to be reachable;
  • the PHP process to have filesystem permissions for the target path.
  • for the demonstrated CAS 1.0 deletion impact, getTicket() must return without throwing; practically, the target file must contain serialized PHP data that unserializes to a value compatible with the ?array return type, such as an array or null. Full CAS semantic validation is not required for deletion in CAS 1.0 because deleteTicket($ticket) is called immediately after getTicket($ticket).

The attacker does not need administrator access to SimpleSAMLphp.

Impact

Affected deployments can allow remote attackers to escape the configured CAS ticket directory through public ticket validation inputs.

Confirmed impact:

  • read and unserialize files outside the ticket cache when the file content is valid serialized PHP data;
  • delete attacker-selected files outside the ticket cache through the CAS 1.0 validation flow when the target is readable by the PHP process, deletable under the PHP process filesystem permissions, and the target content unserializes to a value compatible with the ?array return type, such as a serialized array or serialized null. Full CAS semantic validation is not required before deletion in the CAS 1.0 flow.

The file deletion impact depends on filesystem permissions of the PHP process. In realistic deployments, this can destroy CAS tickets, serialized SimpleSAMLphp runtime/cache files, or other writable files whose contents can be unserialized into a value accepted by the ?array return type. It may also delete attacker-created files outside the ticket directory if the attacker has another primitive to place such serialized content.

The unserialize() call creates a dangerous secondary primitive if an attacker can place a serialized object file at a reachable path, although this report does not claim a complete object-injection or RCE chain.

AnalysisAI

Path traversal in SimpleSAMLphp's CAS server module allows unauthenticated remote attackers to read and deserialize arbitrary files outside the ticket directory via crafted ticket parameters. When using FileSystemTicketStore, attackers can inject '../' sequences into CAS validation endpoints to escape the configured directory, potentially deleting files that contain serialized PHP data compatible with array types. The vulnerability has a CVSS score of 8.6 with no public exploits identified at time of analysis.

Technical ContextAI

The vulnerability affects the simplesamlphp-module-casserver component, specifically the FileSystemTicketStore implementation used for CAS (Central Authentication Service) ticket management. The CWE-22 path traversal occurs because the module directly concatenates user-controlled ticket identifiers from query parameters with the configured ticket directory path without proper sanitization. The CAS 1.0 validation flow compounds the issue by calling deleteTicket() immediately after getTicket(), creating a deletion primitive when target files contain PHP serialized data that unserializes to array-compatible values.

RemediationAI

Vendor-released patch: Upgrade to simplesamlphp-module-casserver version 7.0.3 or later. For deployments unable to upgrade immediately, consider switching from FileSystemTicketStore to an alternative ticket store implementation if available, though this requires configuration changes and testing. As a temporary mitigation, restrict network access to CAS validation endpoints to trusted sources only, understanding this may break legitimate CAS client integrations. Monitor filesystem access logs for suspicious '../' sequences in paths related to the CAS ticket directory.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-46491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy