PT-2026-41399 · Git+2 · Simplesamlphp-Module-Casserver+1

Published

2026-05-15

·

Updated

2026-06-10

·

CVE-2026-46491

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Name of the Vulnerable Software and Affected Versions simplesamlphp-module-casserver versions prior to 7.0.3
Description The software builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation and proxy endpoints pass attacker-controlled ticket and pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences to force the CAS server to read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the attacker-selected path is passed to the deleteTicket() function immediately after getTicket() returns, which can result in the deletion of the target file if it is readable and deletable by the PHP process and unserializes to a value compatible with the ?array return type.
Recommendations Update to version 7.0.3. As a temporary workaround, restrict access to the FileSystemTicketStore or disable the casserver module until the update is applied.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46491
GHSA-JRRG-99XH-5J2Q

Affected Products

Simplesamlphp-Module-Casserver
Simplesamlphp/Simplesamlphp-Module-Casserver