CVE-2026-46491 Overview
CVE-2026-46491 is a path traversal vulnerability [CWE-22] in simplesamlphp-module-casserver, a CAS 1.0 and 2.0 compliant Central Authentication Service (CAS) server distributed as a SimpleSAMLphp module. Versions prior to 7.0.3 construct file paths for the file-based CAS ticket store by concatenating the configured ticket directory with attacker-controlled ticket identifiers. Public CAS validation and proxy endpoints accept ticket and pgt query parameters that flow directly into the FileSystemTicketStore. A remote, unauthenticated attacker can submit traversal sequences such as ../target.serialized to read and unserialize arbitrary files, and in some flows delete them.
Critical Impact
A remote, unauthenticated attacker can traverse outside the ticket directory to deserialize or delete arbitrary files readable by the PHP process.
Affected Products
- simplesamlphp/simplesamlphp-module-casserver versions prior to 7.0.3
- Deployments configured to use FileSystemTicketStore
- SimpleSAMLphp installations exposing CAS 1.0/2.0 validation or proxy endpoints
Discovery Timeline
- 2026-06-10 - CVE-2026-46491 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46491
Vulnerability Analysis
The simplesamlphp-module-casserver module implements a file-based ticket store that persists CAS ticket data as serialized PHP files within a configured directory. The FileSystemTicketStore builds the on-disk path for a ticket by concatenating the configured directory with the ticket identifier supplied by the caller. Public CAS endpoints, including the CAS 1.0 and 2.0 service validation handlers and the proxy ticket flow, forward the ticket and pgt HTTP query parameters into this store without sanitization.
Because the attacker controls the ticket identifier, traversal sequences like ../../var/www/secret.serialized resolve outside the intended ticket directory. The server then calls unserialize() on the contents of whatever file the path resolves to. In the CAS 1.0 validation flow, the same path is passed to deleteTicket() immediately after getTicket() returns. When the file is readable and deletable by the PHP process, and its contents unserialize to a value compatible with the ?array return type, the server deletes the targeted file.
Root Cause
The root cause is missing input validation on the ticket identifier before it is used in filesystem operations [CWE-22]. The store does not normalize the path or confirm that the resolved location remains within the configured ticket directory.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to a public CAS validation or proxy endpoint with a ticket or pgt parameter containing path traversal sequences. The PHP process reads and deserializes the targeted file, and in the CAS 1.0 path may also delete it.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-jrrg-99xh-5j2q for technical details.
Detection Methods for CVE-2026-46491
Indicators of Compromise
- HTTP requests to CAS validation or proxy endpoints containing .. sequences, URL-encoded %2e%2e, or absolute paths in the ticket or pgt query parameters.
- Unexpected deletion of .serialized files or other files readable by the PHP process user outside the configured ticket directory.
- PHP error log entries referencing unserialize() failures originating from FileSystemTicketStore.
Detection Strategies
- Inspect web server access logs for CAS endpoints (/serviceValidate, /proxyValidate, /validate, /proxy) with suspicious values in ticket and pgt.
- Apply Web Application Firewall (WAF) rules that block path traversal patterns on CAS query parameters.
- Monitor file integrity on directories adjacent to the CAS ticket store and on sensitive serialized data locations.
Monitoring Recommendations
- Centralize SimpleSAMLphp and web server logs and alert on traversal patterns targeting CAS endpoints.
- Track the PHP process for unexpected open() and unlink() syscalls outside the configured ticket directory.
- Audit changes to files in directories writable or readable by the PHP-FPM or Apache user.
How to Mitigate CVE-2026-46491
Immediate Actions Required
- Upgrade simplesamlphp/simplesamlphp-module-casserver to version 7.0.3 or later.
- Review CAS server access logs for traversal attempts against ticket and pgt parameters since exposure began.
- Audit the filesystem for unexpected deletions or modifications of files readable by the PHP process.
Patch Information
The issue is fixed in version 7.0.3. See the GitHub Release v7.0.3 and the upstream commit for the corrective changes. Composer-managed deployments should run composer update simplesamlphp/simplesamlphp-module-casserver and redeploy.
Workarounds
- If patching is delayed, switch from FileSystemTicketStore to an alternative ticket store backend that does not derive file paths from attacker-controlled input.
- Restrict the PHP process filesystem permissions so it cannot read or delete files outside the ticket directory.
- Deploy WAF rules that reject ticket and pgt parameters containing .., /, \, or URL-encoded equivalents.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
