HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-59099Published Modified CNA VulnCheck

CVE-2026-59099: Apereo CAS 7.3.0 < 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure

Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis to decrypt the webflow conversation state due to keystream reuse caused by a fixed all-zero IV paired with the same encryption key.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
8.0.0-RC6
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An AES-GCM nonce-reuse cryptographic vulnerability exists in Apereo CAS versions 7.3.0 through 8.0.0-RC6. The server reuses a fixed all-zero initialization vector with the same encryption key across its entire lifetime, meaning any unauthenticated remote attacker who collects multiple webflow execution tokens from the login page can perform known-plaintext analysis and recover the plaintext conversation state. Successful exploitation gives the attacker read access to confidential session state and the ability to tamper with authentication conversation data. A patched-image rebuild at version 8.0.0-RC6 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-59099 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Apereo CAS. Any image with an Apereo CAS version in the affected range (7.3.0 to earlier than 8.0.0-RC6) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.3 Critical using the CVSS v4.0 vector and weights it against each environment's compliance policy, escalating findings accordingly. Triage results are routed to the appropriate team inbox within each customer organization based on their configured alert rules.

Available
Patch

A patched-image rebuild targeting Apereo CAS 8.0.0-RC6 is available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Apereo CAS login page over the network; exposure to any network-accessible instance is sufficient since the vulnerable endpoint is the unauthenticated login flow.

  • AuthenticationNot required

    No credentials or account are needed; the vulnerability is exploitable entirely through the public-facing unauthenticated login page.

  • Victim interactionNot required

    The attacker collects webflow execution tokens by interacting directly with the server; no victim user action is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once multiple tokens are collected; no race conditions or memory-layout dependencies are involved.

Blast Radius

  • Attacker decrypts webflow conversation state, reading confidential in-progress authentication session data such as credential fragments and identity assertions in transit.
  • Attacker recovers keystream material reusable to forge or modify encrypted conversation tokens, allowing manipulation of the authentication flow state.
  • Exposed conversation state may reveal service ticket targets, authentication context, and user-supplied credential inputs submitted during the login process.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-59099 is active across all customer pipelines, matching container images against the affected Apereo CAS version range the moment the CVE enters HarborGuard's ingestion pipeline. A patched rebuild at 8.0.0-RC6 is available for any image confirmed to carry an affected version. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version, executes regression tests, and opens a pull request against affected workloads; for Critical-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, the finding is surfaced in the triage queue with the CVSS 9.3 Critical score and full vector detail so engineering teams can act manually. As an interim compensating control while a rebuild is being validated, consider restricting external network access to the CAS login endpoint to known-good IP ranges via network policy and applying egress filtering to limit lateral reachability from a compromised CAS instance.

See how HarborGuard automates this

Fix available

8.0.0-RC6
Patch commits
Affected packages
  • apereo / cas
    < 8.0.0-RC6 (from 7.3.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N