CVE-2026-46491: SimpleSAMLphp-casserver Path Traversal & Arbitrary File Deletion
SimpleSAMLphp-casserver versions before 7.0.3 contain a path traversal vulnerability in their file-based ticket storage mechanism. An attacker can manipulate CAS ticket identifiers to read, deserialize, and potentially delete arbitrary files on the server. The vulnerability exists in public-facing CAS validation endpoints that lack proper input sanitization, making it exploitable without authentication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type. This issue has been patched in version 7.0.3.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
SimpleSAMLphp-casserver constructs file paths for the FileSystemTicketStore by concatenating a configured directory with user-supplied ticket identifiers without validation. The vulnerable code path affects CAS 1.0 and 2.0 protocol handlers that accept ticket and pgt (proxy-granting ticket) parameters from remote clients. An attacker can inject path traversal sequences (e.g., ../../../target.serialized) to escape the intended ticket directory. After the getTicket() call deserializes the retrieved file, a subsequent deleteTicket() call in the CAS 1.0 flow attempts to remove the file, potentially deleting sensitive data if filesystem permissions allow. Unsafe deserialization of arbitrary files compounds the risk by enabling object injection attacks if the attacker-chosen file content is crafted to match expected class signatures.
Business impact
An attacker can exfiltrate sensitive configuration files, session data, or other serialized objects stored on the affected server. In CAS 1.0 deployments, the delete operation could cause denial of service or loss of critical files depending on what the attacker targets and whether PHP process permissions allow deletion. Organizations relying on SimpleSAMLphp-casserver for authentication federation face confidentiality and integrity risks. The lack of authentication requirements means any remote actor can attempt exploitation without prior access.
Affected systems
SimpleSAMLphp-casserver versions prior to 7.0.3 are affected. The vulnerability is specific to deployments using FileSystemTicketStore (file-based ticket persistence). Organizations using alternative ticket stores (database-backed, etc.) are not exposed to this path traversal vector. Verify your deployment configuration and current version against the vendor advisory.
Exploitability
Exploitability is high: the attack requires no authentication, no user interaction, and no special network conditions. The vulnerability is in unauthenticated CAS protocol endpoints accessible to any network client. Successful exploitation depends on knowing or guessing target file paths, but common server file locations (configuration files, session directories) can be enumerated via error messages or standard directory structures. The deserialization step introduces an additional exploitation dimension if attackers can craft malicious serialized payloads.
Remediation
Upgrade SimpleSAMLphp-casserver to version 7.0.3 or later immediately. This version includes input validation to prevent path traversal sequences in ticket identifiers. After patching, review server logs for suspicious CAS validation requests containing path traversal patterns (../ sequences in ticket parameters) to detect potential exploitation attempts. Consider enforcing allowlist-based ticket identifier validation even after upgrade as a defense-in-depth measure.
Patch guidance
Apply SimpleSAMLphp-casserver version 7.0.3 or later. Verify the patch against the official SimpleSAMLphp release notes and repository. Test the upgrade in a staging environment first to ensure compatibility with your authentication flow and any custom integrations. After deployment, monitor CAS validation endpoints for error rates or unexpected behavior during the transition period.
Detection guidance
Monitor web server access logs and CAS validation endpoints for requests containing path traversal sequences in ticket or pgt parameters (look for patterns like ../, ..\ or URL-encoded equivalents %2e%2e%2f). Correlate such requests with filesystem access attempts to sensitive files. Review PHP error logs for deserialization warnings or unexpected file access attempts. Implement network-level detection for CAS protocol messages with non-alphanumeric characters in ticket identifiers that fall outside expected patterns.
Why prioritize this
This vulnerability merits immediate priority due to its high CVSS score (8.6), lack of authentication requirements, and direct impact on core authentication infrastructure. The ability to read arbitrary files threatens credential stores and session data, while the delete capability in CAS 1.0 creates availability risk. Organizations using FileSystemTicketStore should treat this as critical given the public nature of CAS endpoints and the relative ease of exploitation.
Risk score, explained
The CVSS 3.1 score of 8.6 (HIGH) reflects a network-exploitable vulnerability with low attack complexity, no privilege escalation needed, and significant impact on confidentiality (file exfiltration) and integrity (file deletion/tampering). The score appropriately captures the authentication-free nature of the vulnerable endpoints and the broad accessibility of the vulnerability to remote attackers, though it does not account for the requirement that FileSystemTicketStore be in use.
Frequently asked questions
Does this affect all SimpleSAMLphp installations?
No. The vulnerability is specific to SimpleSAMLphp-casserver module and only when using FileSystemTicketStore for ticket persistence. SimpleSAMLphp itself is not affected. Verify your deployment uses casserver and confirm your ticket store configuration in the module settings.
Can this vulnerability be exploited without network access to CAS endpoints?
No. The vulnerability requires unauthenticated access to public CAS validation or proxy endpoints (typically /module.php/casserver/... paths). This means the endpoints must be network-accessible; internal-only deployments with proper network segmentation have reduced risk but should still patch promptly.
What is the relationship between the deserialization step and the file deletion?
In CAS 1.0 validation, the server first reads and unserializes a file at the attacker-supplied path (getTicket), then attempts to delete that same file (deleteTicket). If the attacker targets a valid serialized object outside the ticket directory, deserialization may succeed, and deletion will proceed if filesystem permissions allow. This two-step behavior amplifies risk by enabling both data exfiltration and file deletion in one attack.
How should I verify if my SimpleSAMLphp-casserver is vulnerable?
Check your installed version against the official SimpleSAMLphp repository. If you are running version 7.0.2 or earlier and using FileSystemTicketStore, you are vulnerable. Verify your ticket store type in the casserver module configuration. If using a database or remote ticket store instead, you are not exposed to this particular path traversal vector, though you should still update for other potential fixes.
This analysis is based on publicly available vulnerability data and vendor disclosures as of the publication date. Actual risk and exploitability may vary based on specific deployment configurations, network segmentation, and the presence of compensating controls. Organizations should verify patch availability and compatibility through official SimpleSAMLphp channels before deploying updates. SEC.co makes no warranty regarding the completeness or accuracy of this assessment and recommends consulting with your security team and the vendor advisory for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-0270HIGHCortex XSOAR Path Traversal on Linux — Exploit Requirements & Patching Guide
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers
- CVE-2026-11419HIGHAltium Enterprise Server Path Traversal – Arbitrary File Write