How is CVE-2026-46491 exploited?

Network reachability (required): The vulnerable CAS validation and proxy endpoints are exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS. Authentication (not-required): The affected endpoints are public CAS validation endpoints; no account or credential of any kind is needed to supply a malicious ticket parameter. Victim interaction (not-required): Exploitation is fully server-side; no user action, click, or social engineering is required. Attack complexity (info): The exploit is reliable and condition-free for the read and unserialize step; file deletion adds a secondary condition (the file must be readable and deletable by the PHP process and must unserialize to an array-compatible value), but crafting the traversal path itself requires no special timing or environmental setup.

What is the impact of CVE-2026-46491?

Reads and unserializes arbitrary files accessible to the PHP process outside the ticket directory, which may expose session data, application secrets, or configuration files. Unsafe deserialization of attacker-selected files can trigger PHP object instantiation side effects, modifying application state or persisted data depending on classes available in the autoloader. Conditionally deletes the targeted file when it is both readable and deletable by the PHP process and unserializes to an array-compatible value, causing permanent loss of that file. Deleting configuration or state files the application depends on disrupts the availability of the CAS service or dependent SSO flows.

Back to search

HIGHCVE-2026-46491Published 2026-06-09Modified 2026-06-10CNA GitHub_M

CVE-2026-46491: SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion

SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type. This issue has been patched in version 7.0.3.

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in the SimpleSAMLphp casserver module (simplesamlphp-module-casserver) allows a remote, unauthenticated attacker to read and unserialize arbitrary files on the server outside the intended CAS ticket directory. The flaw is reachable over the network with no credentials required, through public CAS validation and proxy endpoints that accept attacker-controlled ticket identifiers. Successful exploitation enables limited data disclosure via unsafe deserialization of arbitrary files, high-impact tampering of application state through that deserialized content, and conditional deletion of files the PHP process can read and remove. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-46491 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle simplesamlphp-module-casserver.

Available

Triage

Triage capability is available using the CVSS v3.1 score of 8.6 (HIGH), weighted further against each customer organization's compliance policy to determine urgency and queue priority; findings are routed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 7.0.3 or a later fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable CAS validation and proxy endpoints are exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS.
AuthenticationNot required
The affected endpoints are public CAS validation endpoints; no account or credential of any kind is needed to supply a malicious ticket parameter.
Victim interactionNot required
Exploitation is fully server-side; no user action, click, or social engineering is required.
Attack complexityDetail
The exploit is reliable and condition-free for the read and unserialize step; file deletion adds a secondary condition (the file must be readable and deletable by the PHP process and must unserialize to an array-compatible value), but crafting the traversal path itself requires no special timing or environmental setup.

Blast Radius

Reads and unserializes arbitrary files accessible to the PHP process outside the ticket directory, which may expose session data, application secrets, or configuration files.
Unsafe deserialization of attacker-selected files can trigger PHP object instantiation side effects, modifying application state or persisted data depending on classes available in the autoloader.
Conditionally deletes the targeted file when it is both readable and deletable by the PHP process and unserializes to an array-compatible value, causing permanent loss of that file.
Deleting configuration or state files the application depends on disrupts the availability of the CAS service or dependent SSO flows.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists at the time of publication, HarborGuard monitors the CVE-2026-46491 advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment simplesamlphp-module-casserver 7.0.3 is published. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression-test run and open a PR against affected workloads. While awaiting the upstream patch, compensating controls worth considering include network-policy isolation that restricts access to CAS validation endpoints to known clients or trusted IP ranges, egress filtering on the PHP application host to limit what files are reachable via traversal, and review of PHP process filesystem permissions to minimize the set of files readable or deletable by the CAS service. Any images currently shipping an affected version of simplesamlphp-module-casserver will continue to surface as unresolved findings until a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

simplesamlphp / simplesamlphp-module-casserver
< 7.0.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

References

Metrics

Get notified