CVE-2026-59099
Received Received - Intake

Authentication Bypass via AES-GCM IV Reuse in Apereo CAS

Vulnerability report for CVE-2026-59099, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis to decrypt the webflow conversation state due to keystream reuse caused by a fixed all-zero IV paired with the same encryption key.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
apereo cas From 7.3.0 (inc) to 8.0.0-RC6 (exc)
apereo cas 7.3.7.3
apereo cas 8.0.0-RC6
apereo cas to 8.0.0-RC6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-323 Nonces should be used for the present occasion and only once.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59099 is a cryptographic vulnerability in Apereo CAS versions 7.3.0 before 8.0.0-RC6. It arises because the AES-GCM encryption used for protecting webflow conversation state reuses a fixed all-zero initialization vector (IV) with the same encryption key across the server's lifetime.

This IV reuse causes the keystream to be reused, which breaks the security guarantees of AES-GCM. Remote unauthenticated attackers can collect multiple encrypted tokens from the login page and perform known-plaintext analysis to decrypt the conversation state, recovering plaintext information that should be confidential.

Impact Analysis

This vulnerability allows remote unauthenticated attackers to decrypt sensitive information stored in the webflow conversation state by exploiting the reuse of the AES-GCM initialization vector.

  • Attackers can recover plaintext session or state data that is meant to be encrypted and confidential.
  • This leads to information disclosure, potentially exposing user session details or authentication flow data.
  • Since the attack requires no authentication and can be performed remotely, it poses a high risk to affected systems.
Detection Guidance

This vulnerability involves the reuse of a fixed all-zero initialization vector (IV) in AES-GCM encryption within Apereo CAS versions 7.3.0 through 7.9.99 (excluding 8.0.0-RC6). Detection involves identifying if your system is running a vulnerable version of Apereo CAS and if the client-side webflow execution tokens are being reused with the same IV.

Since the vulnerability is cryptographic and related to IV reuse, direct detection on the network or system would involve capturing multiple client-side webflow execution tokens from the unauthenticated login page and analyzing them for repeated IVs or ciphertext patterns indicating nonce reuse.

No explicit commands or detection scripts are provided in the available resources. However, general steps to detect this vulnerability could include:

  • Check the version of Apereo CAS running on your system to confirm if it is between 7.3.0 and before 8.0.0-RC6.
  • Capture multiple webflow execution tokens from the unauthenticated login page using tools like curl or browser developer tools.
  • Analyze the captured tokens for repeated or fixed initialization vectors (IVs) or ciphertext reuse, which may require custom cryptographic analysis scripts.

Because the vulnerability is subtle and cryptographic in nature, automated detection tools or commands are not explicitly documented in the provided resources.

Mitigation Strategies

The primary mitigation step is to upgrade Apereo CAS to a fixed version that addresses the vulnerability.

  • Upgrade to Apereo CAS version 7.3.7.3 or later, or to version 8.0.0-RC6 or later, where the cryptographic vulnerability related to AES-GCM IV reuse has been fixed.
  • Apply the patch that changes the encryption process to generate a fresh random initialization vector (IV) for each encryption operation instead of using a fixed all-zero IV.

The upgrade is a drop-in replacement requiring minimal configuration changes and is strongly recommended to prevent remote unauthenticated attackers from decrypting webflow conversation states.

Additionally, review your deployment to ensure that client-side webflow storage is configured securely, as this is the default and increases exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart