CVE-2026-59099
Apereo · CAS
A cryptographic flaw in Apereo CAS allows unauthenticated attackers to decrypt webflow conversation states by exploiting AES-GCM initialization vector reuse.
Executive summary
Apereo CAS contains a critical cryptographic vulnerability that allows unauthenticated attackers to recover plaintext conversation state, leading to potential identity and session compromise.
Vulnerability
The application utilizes a fixed all-zero initialization vector (IV) with AES-GCM encryption, resulting in keystream reuse. This allows unauthenticated remote attackers to perform known-plaintext analysis on collected webflow execution tokens.
Business impact
The ability to decrypt conversation states poses a severe threat to authentication security, potentially exposing sensitive session information or facilitating session hijacking. With a CVSS score of 9.1, this represents a critical risk to any enterprise relying on Apereo CAS for centralized authentication and identity management.
Remediation
Immediate Action: Upgrade to version 8.0.0-RC6 or later to implement secure, unique initialization vector generation for all cryptographic operations.
Proactive Monitoring: Monitor authentication logs and webflow traffic for patterns indicative of automated token collection or high-frequency requests from single sources.
Compensating Controls: While no direct WAF rule can fix the underlying cryptographic flaw, rate-limiting login attempts can slow down the token collection process required for this attack.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability undermines the fundamental security of the CAS identity provider. Organizations must treat this as a high-priority update to prevent the exposure of plaintext session data. Patching is the only effective way to resolve the underlying keystream reuse issue.