CVE-2026-46491
Received Received - Intake
Path Traversal in SimpleSAMLphp-casserver

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type. This issue has been patched in version 7.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-46491
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
simplesamlphp simplesamlphp-module-casserver to 7.0.3 (exc)
simplesamlphp simplesamlphp-module-casserver 7.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves path traversal and unsafe deserialization in the simplesamlphp-module-casserver's FileSystemTicketStore component. Detection can focus on monitoring for unusual or suspicious ticket identifiers containing path traversal sequences such as "../" in requests to CAS validation or proxy endpoints.

You can inspect web server logs or application logs for requests to CAS validation or proxy endpoints that include ticket or pgt parameters with suspicious patterns.

  • Use grep or similar tools to search logs for path traversal patterns in ticket parameters, e.g.:
  • grep -E 'ticket=.*\.\./|pgt=.*\.\./' /path/to/access.log
  • Monitor for unexpected file deletions or errors related to ticket files outside the configured ticket directory.

Since the vulnerability involves unserializing attacker-controlled files, monitoring for PHP warnings or errors related to unserialize operations may also help detect exploitation attempts.

Executive Summary

CVE-2026-46491 is a path traversal vulnerability in the SimpleSAMLphp-casserver module, specifically in the FileSystemTicketStore component. The module builds file paths for storing CAS tickets by directly concatenating a configured ticket directory with an attacker-controlled ticket identifier. This allows a remote attacker to use path traversal sequences (like "../") in ticket identifiers passed to public CAS validation or proxy endpoints to read and unserialize files outside the intended ticket directory.

Additionally, in the CAS 1.0 validation flow, the attacker-controlled path is also used to delete files immediately after reading them, which can lead to deletion of arbitrary files if they are readable and deletable by the PHP process and contain serialized data compatible with the expected return type.

This vulnerability allows unauthorized reading, deserialization, and deletion of files outside the ticket store, potentially compromising system integrity and availability. It has been patched in version 7.0.3.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to read sensitive files outside the intended ticket storage directory, which may expose confidential information.

The attacker can also delete files if they meet certain conditions, potentially destroying CAS tickets or other critical files, leading to denial of service or loss of data integrity.

Because the attack requires no authentication, it poses a high risk to the availability and integrity of the CAS server and its stored data.

Mitigation Strategies

The primary mitigation is to upgrade the simplesamlphp-module-casserver to version 7.0.3 or later, where this vulnerability has been patched.

The patch includes sanitizing ticket identifiers to prevent directory traversal, replacing direct ticket ID usage with SHA1 hashes for filenames, and hardening unserialize calls to disallow unsafe deserialization.

If immediate upgrade is not possible, consider restricting access to CAS validation and proxy endpoints to trusted sources only, and monitor logs for suspicious ticket parameters as a temporary mitigation.

Review and tighten filesystem permissions to ensure the PHP process cannot delete or read files outside the intended ticket directory.

Compliance Impact

The vulnerability in simplesamlphp-module-casserver allows remote attackers to read, unserialize, and potentially delete files outside the intended ticket directory without authentication. This can lead to unauthorized access to sensitive data and destruction of critical files, impacting data integrity and availability.

Such unauthorized access and manipulation of data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information, as well as ensuring data integrity and availability.

Therefore, organizations using vulnerable versions of this software may face increased risk of violating these standards due to potential data breaches or loss caused by this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46491. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart