PT-2026-41399 · Git+2 · Simplesamlphp-Module-Casserver+1
Published
2026-05-15
·
Updated
2026-06-10
·
CVE-2026-46491
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
simplesamlphp-module-casserver versions prior to 7.0.3
Description
The software builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation and proxy endpoints pass attacker-controlled
ticket and pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences to force the CAS server to read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the attacker-selected path is passed to the deleteTicket() function immediately after getTicket() returns, which can result in the deletion of the target file if it is readable and deletable by the PHP process and unserializes to a value compatible with the ?array return type.Recommendations
Update to version 7.0.3.
As a temporary workaround, restrict access to the
FileSystemTicketStore or disable the casserver module until the update is applied.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simplesamlphp-Module-Casserver
Simplesamlphp/Simplesamlphp-Module-Casserver