EXECUTIVE SUMMARY:
CVE-2026-46491 with a CVSS score of 8.6 is a high-severity vulnerability in the SimpleSAMLphp casserver module, specifically affecting the `FileSystemTicketStore` implementation. An attacker can exploit this vulnerability in deployments using the casserver module, where a file-based ticket store is configured, and public CAS validation/proxy endpoints are reachable, by passing a specially crafted ticket identifier through query parameters. This allows the attacker to read and unserialize files outside the ticket directory, as well as delete attacker-selected files outside the ticket cache through the CAS 1.0 validation flow, depending on the PHP process's filesystem permissions. The attacker gains the capability to escalate privileges and potentially disrupt the CAS server's functionality, resulting in business impact and consequences such as destruction of CAS tickets, serialized SimpleSAMLphp runtime/cache files, or other writable files, and potentially leading to a denial-of-service or unauthorized data exposure. Prerequisites for exploitation include the casserver module being enabled, the file-based ticket store being configured, public CAS validation/proxy endpoints being reachable, and the PHP process having filesystem permissions for the target path.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46491 with a CVSS score of 8.6 is a high-severity vulnerability in the SimpleSAMLphp casserver module, specifically affecting the `FileSystemTicketStore` implementation. An attacker can exploit this vulnerability in deployments using the casserver module, where a file-based ticket store is configured, and public CAS validation/proxy endpoints are reachable, by passing a specially crafted ticket identifier through query parameters. This allows the attacker to read and unserialize files outside the ticket directory, as well as delete attacker-selected files outside the ticket cache through the CAS 1.0 validation flow, depending on the PHP process's filesystem permissions. The attacker gains the capability to escalate privileges and potentially disrupt the CAS server's functionality, resulting in business impact and consequences such as destruction of CAS tickets, serialized SimpleSAMLphp runtime/cache files, or other writable files, and potentially leading to a denial-of-service or unauthorized data exposure. Prerequisites for exploitation include the casserver module being enabled, the file-based ticket store being configured, public CAS validation/proxy endpoints being reachable, and the PHP process having filesystem permissions for the target path.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jrrg-99xh-5j2q