SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type. This issue has been patched in version 7.0.3.
CVE-2026-46491
This high-severity CVE scores 8.6 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.4%, top 66% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.6
- EG Score
- 8.6(medium)
- EPSS
- 34.2%
- KEV
- Not listed
Published
May 15, 2026
Last Modified
June 10, 2026
Advisory Details (2)
Auto-updated Jun 10, 2026SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion · Advisory · simplesamlphp/simplesamlphp-module-casserver · GitHub
https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-jrrg-99xh-5j2qcommit b84f3e4ed57c (simplesamlphp/simplesamlphp-module-casserver)
Fix landed in simplesamlphp/simplesamlphp-module-casserver commit b84f3e4ed57c — awaiting tagged release
https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/b84f3e4ed57c4d97e0dc73df102e7eff831a681fVendor Advisories for CVE-2026-46491(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(1 across 1 ecosystem)
Packagist(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| simplesamlphp/simplesamlphp-module-casserver | v6.0.0 ... v7.0.2 (14 versions) | 7.0.3 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 6× in last 7d / 50× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 21:27 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 11:13 UTCEG score recompute
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 22:18 UTCEG score recompute
- 2026-06-27 09:06 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 20:11 UTCEG score recompute
- 2026-06-25 18:45 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
Show 50 moreShow fewer
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 03:53 UTCEG score recompute
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 13:23 UTCEG score recompute
- 2026-06-16 21:50 UTCEG score recompute
- 2026-06-16 17:53 UTCEPSS rescore
- 2026-06-15 23:32 UTCEG score recompute
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-15 01:06 UTCEG score recompute
- 2026-06-14 12:12 UTCEG score recompute
- 2026-06-13 23:16 UTCEG score recompute
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-13 04:03 UTCEG score recompute
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 14:10 UTCEG score recompute
- 2026-06-12 01:14 UTCEG score recompute
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-11 12:21 UTCEG score recompute
- 2026-06-10 23:26 UTCEG score recompute
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 10:32 UTCEG score recompute
- 2026-06-09 21:39 UTCEG score recompute
- 2026-06-09 08:41 UTCEG score recompute
- 2026-06-08 19:46 UTCEG score recompute
- 2026-06-08 05:26 UTCEG score recompute
- 2026-06-07 16:33 UTCEG score recompute
- 2026-06-07 03:39 UTCEG score recompute
- 2026-06-06 14:45 UTCEG score recompute
- 2026-06-06 01:50 UTCEG score recompute
- 2026-06-05 12:57 UTCEG score recompute
- 2026-06-05 00:03 UTCEG score recompute
- 2026-06-04 10:56 UTCEG score recompute
- 2026-06-03 22:02 UTCEG score recompute
- 2026-06-03 09:08 UTCEG score recompute
- 2026-06-02 20:14 UTCEG score recompute
- 2026-06-02 07:20 UTCEG score recompute
- 2026-06-01 18:26 UTCEG score recompute
- 2026-06-01 05:32 UTCEG score recompute
- 2026-05-24 06:18 UTCEG score recompute
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2026-46491?
When was CVE-2026-46491 disclosed?
Is CVE-2026-46491 actively exploited?
What is the CVSS score of CVE-2026-46491?
How do I remediate CVE-2026-46491?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-46491
Is Your Infrastructure Affected by CVE-2026-46491?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.