CVE-2026-59099

Apereo · CAS

A cryptographic flaw in Apereo CAS allows unauthenticated attackers to decrypt webflow conversation states by exploiting AES-GCM initialization vector reuse.

Executive summary

Apereo CAS contains a critical cryptographic vulnerability that allows unauthenticated attackers to recover plaintext conversation state, leading to potential identity and session compromise.

Vulnerability

The application utilizes a fixed all-zero initialization vector (IV) with AES-GCM encryption, resulting in keystream reuse. This allows unauthenticated remote attackers to perform known-plaintext analysis on collected webflow execution tokens.

Business impact

The ability to decrypt conversation states poses a severe threat to authentication security, potentially exposing sensitive session information or facilitating session hijacking. With a CVSS score of 9.1, this represents a critical risk to any enterprise relying on Apereo CAS for centralized authentication and identity management.

Remediation

Immediate Action: Upgrade to version 8.0.0-RC6 or later to implement secure, unique initialization vector generation for all cryptographic operations.

Proactive Monitoring: Monitor authentication logs and webflow traffic for patterns indicative of automated token collection or high-frequency requests from single sources.

Compensating Controls: While no direct WAF rule can fix the underlying cryptographic flaw, rate-limiting login attempts can slow down the token collection process required for this attack.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability undermines the fundamental security of the CAS identity provider. Organizations must treat this as a high-priority update to prevent the exposure of plaintext session data. Patching is the only effective way to resolve the underlying keystream reuse issue.