CAS Vulnerability Disclosure


This is the public version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS where an adversary may be able to bypass the second factor (token) although MFA is requested during the login process.

This issue applies to all MFA providers except the Duo provider (which is therefore NOT vulnerable).

Affected Deployments

The attack vector applies to all deployments of the CAS server for the versions:

  • 5.3.0, 5.3.1 and 5.3.2
  • lower or equal to 5.2.6.

If you have deployed the version 5.3.0, 5.3.1 or 5.3.2, you MUST upgrade to the version 5.3.3.

If you have deployed a version lower or equal to version 5.2.6, you MUST upgrade to the version 5.2.7.


This is a serious issue where successfully exercising this vulnerability allows the adversary to bypass the second factor (token) required by the MFA policy. This makes any MFA configuration to re-inforce security completely useless.


Patch releases are available to address CAS vulnerable deployments. Upgrades to the next patch version for each release should be a drop-in replacement. The patch simply ensures that the MFA factor (token) is effectively required when MFA is requested.


The issue was originally reported to the CAS application security team on August, 2018 and upon confirmation, CAS was patched.


Modify your CAS overlay to point to the version 5.2.7 or 5.3.3. A snippet of a pom.xml for a CAS overlay follows:




If you have questions on the details of this vulnerability and how it might be reproduced, please contact or


Jérôme LELEU

Related Posts

CAS 6.0.0 RC3 Feature Release which I present an overview of CAS 6.0.0 RC3 release.

Apereo CAS - Multifactor Authentication with RADIUS

Learn how Apereo CAS may be configured to trigger multifactor authentication using a RADIUS server and its support for the Access-Challenge response type.

CAS 6.0.0 RC2 Feature Release which I present an overview of CAS 6.0.0 RC2 release.

Apereo CAS - dotCMS SAML2 Integration

Learn how to integrate dotCMS, a Content Management System and Headless CMS, with Apereo CAS running as a SAML2 identity provider.

Effective Software Troubleshooting Tactics

A collection of what hopefully are obvious troubleshooting tactics when it comes to diagnosing software deployment issues and configuration problems.

Apereo CAS - MaxMind Geo2IP ISP Integration

Learn how you may determine the Internet Service Provider, organization name, and autonomous system organization and number associated with the user's IP address in CAS using MaxMind services and present warnings in the authentication flow for the end-user if an IP address is matched.

Notes from Better by Design 2018

Be interested in humans and human success.

Apereo CAS - Authentication Lifecycle Phases

Tap into the Apereo CAS authentication engine from outside, and design extensions that prevent an unsuccessful authentication attempt or warn the user after-the-fact based on specific policies of your choosing.

CAS 6.0.0 RC1 Feature Release which I present an overview of CAS 6.0.0 RC1 release.

Apereo CAS Delegated Authentication with ADFS

Learn how your Apereo CAS deployment may be configured to delegate authentication to Microsoft ADFS.