GHSA-JRRG-99XH-5J2Q
Vulnerability from github – Published: 2026-05-15 18:07 – Updated: 2026-05-15 18:07Summary
simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store.
In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type.
Preconditions
The demonstrated issue requires:
- the
casservermodule to be enabled; - the file-based ticket store to be configured (
FileSystemTicketStore); - public CAS validation/proxy endpoints to be reachable;
- the PHP process to have filesystem permissions for the target path.
- for the demonstrated CAS 1.0 deletion impact,
getTicket()must return without throwing; practically, the target file must contain serialized PHP data that unserializes to a value compatible with the?arrayreturn type, such as an array or null. Full CAS semantic validation is not required for deletion in CAS 1.0 becausedeleteTicket($ticket)is called immediately aftergetTicket($ticket).
The attacker does not need administrator access to SimpleSAMLphp.
Impact
Affected deployments can allow remote attackers to escape the configured CAS ticket directory through public ticket validation inputs.
Confirmed impact:
- read and unserialize files outside the ticket cache when the file content is valid serialized PHP data;
- delete attacker-selected files outside the ticket cache through the CAS 1.0 validation flow when the target is readable by the PHP process, deletable under the PHP process filesystem permissions, and the target content unserializes to a value compatible with the
?arrayreturn type, such as a serialized array or serialized null. Full CAS semantic validation is not required before deletion in the CAS 1.0 flow.
The file deletion impact depends on filesystem permissions of the PHP process. In realistic deployments, this can destroy CAS tickets, serialized SimpleSAMLphp runtime/cache files, or other writable files whose contents can be unserialized into a value accepted by the ?array return type. It may also delete attacker-created files outside the ticket directory if the attacker has another primitive to place such serialized content.
The unserialize() call creates a dangerous secondary primitive if an attacker can place a serialized object file at a reachable path, although this report does not claim a complete object-injection or RCE chain.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.0.2"
},
"package": {
"ecosystem": "Packagist",
"name": "simplesamlphp/simplesamlphp-module-casserver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46491"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-15T18:07:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n`simplesamlphp-module-casserver` builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled `ticket` / `pgt` query parameters into this store.\n\nIn deployments using `FileSystemTicketStore`, a remote attacker can use path traversal sequences such as `../target.serialized` to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to `deleteTicket()` immediately after `getTicket()` returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the `?array` return type.\n\n### Preconditions\n\nThe demonstrated issue requires:\n\n- the `casserver` module to be enabled;\n- the file-based ticket store to be configured (`FileSystemTicketStore`);\n- public CAS validation/proxy endpoints to be reachable;\n- the PHP process to have filesystem permissions for the target path.\n- for the demonstrated CAS 1.0 deletion impact, `getTicket()` must return without throwing; practically, the target file must contain serialized PHP data that unserializes to a value compatible with the `?array` return type, such as an array or null. Full CAS semantic validation is not required for deletion in CAS 1.0 because `deleteTicket($ticket)` is called immediately after `getTicket($ticket)`.\n\nThe attacker does not need administrator access to SimpleSAMLphp.\n\n## Impact\n\nAffected deployments can allow remote attackers to escape the configured CAS ticket directory through public ticket validation inputs.\n\nConfirmed impact:\n\n- read and unserialize files outside the ticket cache when the file content is valid serialized PHP data;\n- delete attacker-selected files outside the ticket cache through the CAS 1.0 validation flow when the target is readable by the PHP process, deletable under the PHP process filesystem permissions, and the target content unserializes to a value compatible with the `?array` return type, such as a serialized array or serialized null. Full CAS semantic validation is not required before deletion in the CAS 1.0 flow.\n\nThe file deletion impact depends on filesystem permissions of the PHP process. In realistic deployments, this can destroy CAS tickets, serialized SimpleSAMLphp runtime/cache files, or other writable files whose contents can be unserialized into a value accepted by the `?array` return type. It may also delete attacker-created files outside the ticket directory if the attacker has another primitive to place such serialized content.\n\nThe `unserialize()` call creates a dangerous secondary primitive if an attacker can place a serialized object file at a reachable path, although this report does not claim a complete object-injection or RCE chain.",
"id": "GHSA-jrrg-99xh-5j2q",
"modified": "2026-05-15T18:07:51Z",
"published": "2026-05-15T18:07:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-jrrg-99xh-5j2q"
},
{
"type": "PACKAGE",
"url": "https://github.com/simplesamlphp/simplesamlphp-module-casserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.