Security Advisory - Published 2026-06-10 - SimpleSAMLphp / CAS
SimpleSAMLphp CAS Server CVE-2026-46491: FileSystemTicketStore Self-Check
CVE-2026-46491 affects the simplesamlphp-module-casserver module before
7.0.3 when it uses the file-based CAS ticket store. The risky setup is specific:
the CAS server module is enabled, public validation or proxy endpoints are reachable,
and CAS tickets are stored on disk by the PHP process.
Who is affected
- Package:
simplesamlphp/simplesamlphp-module-casserver - Affected versions: 7.0.2 and earlier
- Fixed version: 7.0.3
- Required condition:
FileSystemTicketStoreis configured - Typical operators: schools, internal SSO portals, SaaS admin panels, legacy CAS integrations
10-minute self-check
Check installed module version
composer show simplesamlphp/simplesamlphp-module-casserver
composer show | grep casserver If the module is older than 7.0.3, plan the update. If Composer does not show the module, check whether CAS server support was installed manually under the SimpleSAMLphp modules directory.
Check ticket store configuration
grep -Rni "FileSystemTicketStore\\|ticketstore\\|casserver" config modules 2>/dev/null | head -80 The highest-risk path is the file-based ticket store. Database-backed or custom stores should still be reviewed, but this CVE is centered on file path construction around CAS ticket identifiers.
Check whether CAS endpoints are public
grep -Rni "cas\\|validate\\|proxyValidate\\|serviceValidate" /etc/nginx /etc/apache2 /etc/httpd 2>/dev/null | head -80 Public CAS validation endpoints are normal for CAS deployments. The important point is whether those endpoints reach the vulnerable file-based ticket store.
Review access logs
grep -R "serviceValidate\\|proxyValidate\\|validate" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -150 Preserve logs before changing the setup. Repeated validation failures, odd ticket shapes, or requests to legacy CAS 1.0 validation endpoints deserve a closer look.
Safe fix path
- Upgrade the module to 7.0.3 or newer. Confirm the version after deployment.
- Restart PHP-FPM or the web server. Loaded PHP code may not refresh until the process restarts.
- Restrict filesystem permissions. The PHP process should not be able to write or delete unrelated application files.
- Consider a non-file ticket store. Use a store that matches your operational controls and backup policy.
- Rotate SSO secrets if suspicious validation traffic appears. Preserve logs first.
When to request help
- The CAS server is internet-facing and still runs module version 7.0.2 or older.
FileSystemTicketStoreis enabled and you cannot map all public validation traffic.- CAS tickets, SimpleSAMLphp cache files, or PHP-owned files disappeared unexpectedly.
- You need to patch without breaking login for multiple applications.
Ping7 repair path
Ping7 can review SimpleSAMLphp module versions, CAS endpoint exposure, ticket store configuration, PHP filesystem permissions, and post-patch login flow. Start from CVE Repair and include the module version, web server, PHP runtime, and whether the CAS server is public.