Skip to main content

Apereo CAS EUVDEUVD-2026-41430

| CVE-2026-59099 CRITICAL
Reusing a Nonce, Key Pair in Encryption (CWE-323)
2026-07-02 VulnCheck GHSA-phqw-pwxm-86gq
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Login page is remotely reachable and unauthenticated (AV:N/PR:N/UI:N); token collection and known-plaintext analysis are straightforward (AC:L); GCM nonce reuse breaks both confidentiality and authentication (C:H/I:H), with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 20:34 vuln.today
CVSS changed
Jul 02, 2026 - 20:22 NVD
9.1 (CRITICAL) 9.3 (CRITICAL)

DescriptionCVE.org

Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis to decrypt the webflow conversation state due to keystream reuse caused by a fixed all-zero IV paired with the same encryption key.

AnalysisAI

Plaintext recovery of webflow conversation state in Apereo CAS (versions 7.3.0 up to but not including 8.0.0-RC6) lets remote unauthenticated attackers decrypt sensitive login-flow data by exploiting AES-GCM nonce reuse. Because the server encrypts client-side webflow execution tokens with a fixed all-zero initialization vector under a single long-lived key, an attacker can harvest multiple tokens from the public login page and apply known-plaintext/keystream-reuse analysis to break confidentiality (and, given GCM's nonce-reuse properties, integrity of the token). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access unauthenticated CAS login page
Delivery
Harvest multiple webflow execution tokens
Exploit
Exploit fixed all-zero IV keystream reuse
Execution
Apply known-plaintext XOR analysis
Impact
Recover plaintext conversation state

Vulnerability AssessmentAI

Exploitation Exploitation requires that CAS store webflow conversation state in client-side encrypted execution tokens (the affected default/serialized-token mode) so an attacker can harvest ciphertext from the unauthenticated login page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker repeatedly visits the public CAS login page and collects many client-side webflow execution tokens, all encrypted with the same all-zero IV and key. Using the published proof-of-concept technique, they XOR ciphertexts and apply known-plaintext analysis to recover the plaintext webflow conversation state, exposing sensitive login-flow data and potentially enabling token forgery via GCM authentication-key recovery. …
Remediation Vendor-released patch: 8.0.0-RC6 - upgrade Apereo CAS to 8.0.0-RC6 or later, which is available at https://github.com/apereo/cas/releases/tag/v8.0.0-RC6 with the underlying fix in commit https://github.com/apereo/cas/commit/22c6f4adf738852782309b523b4e80371057f2d0 (see the advisory at https://apereo.github.io/2026/06/18/vuln/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Apereo CAS versions 7.3.0 through 8.0.0-RC5 and assess internet exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy