Security Advisory - Published 2026-06-10 - SimpleSAMLphp / CAS

SimpleSAMLphp CAS Server CVE-2026-46491: FileSystemTicketStore Self-Check

CVE-2026-46491 affects the simplesamlphp-module-casserver module before 7.0.3 when it uses the file-based CAS ticket store. The risky setup is specific: the CAS server module is enabled, public validation or proxy endpoints are reachable, and CAS tickets are stored on disk by the PHP process.

Defensive scope: do not test this by feeding crafted ticket values to a production SSO server. Confirm configuration, upgrade, and review access logs for unusual CAS validation activity.

Who is affected

  • Package: simplesamlphp/simplesamlphp-module-casserver
  • Affected versions: 7.0.2 and earlier
  • Fixed version: 7.0.3
  • Required condition: FileSystemTicketStore is configured
  • Typical operators: schools, internal SSO portals, SaaS admin panels, legacy CAS integrations

10-minute self-check

Check installed module version

composer show simplesamlphp/simplesamlphp-module-casserver
composer show | grep casserver

If the module is older than 7.0.3, plan the update. If Composer does not show the module, check whether CAS server support was installed manually under the SimpleSAMLphp modules directory.

Check ticket store configuration

grep -Rni "FileSystemTicketStore\\|ticketstore\\|casserver" config modules 2>/dev/null | head -80

The highest-risk path is the file-based ticket store. Database-backed or custom stores should still be reviewed, but this CVE is centered on file path construction around CAS ticket identifiers.

Check whether CAS endpoints are public

grep -Rni "cas\\|validate\\|proxyValidate\\|serviceValidate" /etc/nginx /etc/apache2 /etc/httpd 2>/dev/null | head -80

Public CAS validation endpoints are normal for CAS deployments. The important point is whether those endpoints reach the vulnerable file-based ticket store.

Review access logs

grep -R "serviceValidate\\|proxyValidate\\|validate" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -150

Preserve logs before changing the setup. Repeated validation failures, odd ticket shapes, or requests to legacy CAS 1.0 validation endpoints deserve a closer look.

Safe fix path

  1. Upgrade the module to 7.0.3 or newer. Confirm the version after deployment.
  2. Restart PHP-FPM or the web server. Loaded PHP code may not refresh until the process restarts.
  3. Restrict filesystem permissions. The PHP process should not be able to write or delete unrelated application files.
  4. Consider a non-file ticket store. Use a store that matches your operational controls and backup policy.
  5. Rotate SSO secrets if suspicious validation traffic appears. Preserve logs first.

When to request help

  • The CAS server is internet-facing and still runs module version 7.0.2 or older.
  • FileSystemTicketStore is enabled and you cannot map all public validation traffic.
  • CAS tickets, SimpleSAMLphp cache files, or PHP-owned files disappeared unexpectedly.
  • You need to patch without breaking login for multiple applications.

Ping7 repair path

Ping7 can review SimpleSAMLphp module versions, CAS endpoint exposure, ticket store configuration, PHP filesystem permissions, and post-patch login flow. Start from CVE Repair and include the module version, web server, PHP runtime, and whether the CAS server is public.

References