CVE-2026-46491

CVE-2026-46491 is a high-severity path traversal vulnerability in simplesamlphp/simplesamlphp-module-casserver (composer), affecting versions <= 7.0.2. It is fixed in 7.0.3.

Summary

simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store.

In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type.

Preconditions

The demonstrated issue requires:

  • the casserver module to be enabled;
  • the file-based ticket store to be configured (FileSystemTicketStore);
  • public CAS validation/proxy endpoints to be reachable;
  • the PHP process to have filesystem permissions for the target path.
  • for the demonstrated CAS 1.0 deletion impact, getTicket() must return without throwing; practically, the target file must contain serialized PHP data that unserializes to a value compatible with the ?array return type, such as an array or null. Full CAS semantic validation is not required for deletion in CAS 1.0 because deleteTicket($ticket) is called immediately after getTicket($ticket).

The attacker does not need administrator access to SimpleSAMLphp.

Impact

Affected deployments can allow remote attackers to escape the configured CAS ticket directory through public ticket validation inputs.

Confirmed impact:

  • read and unserialize files outside the ticket cache when the file content is valid serialized PHP data;
  • delete attacker-selected files outside the ticket cache through the CAS 1.0 validation flow when the target is readable by the PHP process, deletable under the PHP process filesystem permissions, and the target content unserializes to a value compatible with the ?array return type, such as a serialized array or serialized null. Full CAS semantic validation is not required before deletion in the CAS 1.0 flow.

The file deletion impact depends on filesystem permissions of the PHP process. In realistic deployments, this can destroy CAS tickets, serialized SimpleSAMLphp runtime/cache files, or other writable files whose contents can be unserialized into a value accepted by the ?array return type. It may also delete attacker-created files outside the ticket directory if the attacker has another primitive to place such serialized content.

The unserialize() call creates a dangerous secondary primitive if an attacker can place a serialized object file at a reachable path, although this report does not claim a complete object-injection or RCE chain.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-46491 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.0.3); upgrading removes the vulnerable code path.

Affected versions

simplesamlphp/simplesamlphp-module-casserver (<= 7.0.2)

Security releases

simplesamlphp/simplesamlphp-module-casserver → 7.0.3 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade simplesamlphp/simplesamlphp-module-casserver to 7.0.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-46491? CVE-2026-46491 is a high-severity path traversal vulnerability in simplesamlphp/simplesamlphp-module-casserver (composer), affecting versions <= 7.0.2. It is fixed in 7.0.3. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-46491? CVE-2026-46491 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of simplesamlphp/simplesamlphp-module-casserver are affected by CVE-2026-46491? simplesamlphp/simplesamlphp-module-casserver (composer) versions <= 7.0.2 is affected.
  4. Is there a fix for CVE-2026-46491? Yes. CVE-2026-46491 is fixed in 7.0.3. Upgrade to this version or later.
  5. Is CVE-2026-46491 exploitable, and should I be worried? Whether CVE-2026-46491 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-46491 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-46491? Upgrade simplesamlphp/simplesamlphp-module-casserver to 7.0.3 or later.

Other vulnerabilities in simplesamlphp/simplesamlphp-module-casserver

CVE-2025-65954

Stop the waste.
Protect your environment with Kodem.