Description
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type. This issue has been patched in version 7.0.3.
Published: 2026-06-09
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SimpleSAMLphp casserver implements a CAS server using a file‑based ticket store. The module builds file paths by concatenating the ticket directory with an attacker‑controlled ticket identifier. This allows a remote user to supply a path containing traversal sequences such as '../target.serialized', which causes the CAS server to read and unserialize arbitrary files that lie outside the designated ticket directory. The same attacker‑selected path can also be passed to deleteTicket() during the CAS 1.0 validation flow, resulting in deletion of that file if it is readable, deletable by the PHP process, and unserializes into an array. The combination of arbitrary file read, potential code execution via unserialize, and conditional file deletion can compromise confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects deployments of the SimpleSAMLphp casserver module prior to version 7.0.3. Specifically, any installation that uses the FileSystemTicketStore backend is susceptible; systems that have already applied the 7.0.3 update are no longer vulnerable.

Risk and Exploitability

The reported CVSS score of 8.6 indicates high severity. Because the attack vector is remote and relies only on exposing public CAS validation/proxy endpoints, an attacker can trigger the exploit from outside the network. EPSS data is unavailable, but the lack of a CISA KEV listing does not reduce the potential for exploitation. An attacker only needs a crafted ticket or proxy‑ticket value; no local privileges are required, and the exploitation flow leverages standard PHP filesystem permissions. Once a ticket is resolved, the attacker may read sensitive files, trigger PHP code execution through deserialization, or delete arbitrary files, depending on the filesystem configuration.

Generated by OpenCVE AI on June 10, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the simplesamlphp casserver module to version 7.0.3 or later to remove the path traversal and deletion logic.
  • Verify that the FileSystemTicketStore directory is located in a non‑exposed part of the file system and that its permissions deny read and write access to the web server user for files outside the intended ticket directory.
  • If an immediate upgrade is not possible, mitigate by limiting the ticket identifier input length, sanitizing it to remove path separators '/' and disabling deleteTicket() in the CAS 1.0 validation flow or bypassing the deletion step altogether.

Generated by OpenCVE AI on June 10, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jrrg-99xh-5j2q SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion
History

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type. This issue has been patched in version 7.0.3.
Title SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T23:00:11.313Z

Reserved: 2026-05-14T18:06:06.811Z

Link: CVE-2026-46491

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:53.690

Modified: 2026-06-10T00:16:53.690

Link: CVE-2026-46491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:17Z

Weaknesses