CAS Vulnerability Disclosure


This is the public version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS where an adversary may be able to bypass the second factor (token) although MFA is requested during the login process.

This issue applies to all MFA providers except the Duo provider (which is therefore NOT vulnerable).

Affected Deployments

The attack vector applies to all deployments of the CAS server for the versions:

  • 5.3.0, 5.3.1 and 5.3.2
  • lower or equal to 5.2.6.

If you have deployed the version 5.3.0, 5.3.1 or 5.3.2, you MUST upgrade to the version 5.3.3.

If you have deployed a version lower or equal to version 5.2.6, you MUST upgrade to the version 5.2.7.


This is a serious issue where successfully exercising this vulnerability allows the adversary to bypass the second factor (token) required by the MFA policy. This makes any MFA configuration to re-inforce security completely useless.


Patch releases are available to address CAS vulnerable deployments. Upgrades to the next patch version for each release should be a drop-in replacement. The patch simply ensures that the MFA factor (token) is effectively required when MFA is requested.


The issue was originally reported to the CAS application security team on August, 2018 and upon confirmation, CAS was patched.


Modify your CAS overlay to point to the version 5.2.7 or 5.3.3. A snippet of a pom.xml for a CAS overlay follows:




If you have questions on the details of this vulnerability and how it might be reproduced, please contact or


Jérôme LELEU

Related Posts

CAS 6.2.0 RC3 Feature Release which I present an overview of CAS 6.2.0 RC3 release.

Checking Out Pull Requests Locally

Check out GitHub pull requests as local branches using a simple bash function.

CAS 6.2.0 RC2 Feature Release which I present an overview of CAS 6.2.0 RC2 release.

Apereo CAS - Authentication Handler Resolution

Learn how to resolve and select authentication handlers based on configurable and flexible filtering criteria.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Apereo CAS - SAML2 Metadata Overrides

Learn how to manage SAML2 service provider registrations in CAS and override metadata artifacts on a per-application basis.

Apereo CAS - Managing Configuration Metadata

Learn how to manage CAS configuration and properties using Spring Boot Configuration metadata.

CAS 6.2.0 RC1 Feature Release which I present an overview of CAS 6.2.0 RC1 release.

Apereo CAS - Deployment Using systemd

Fabio Martelli of Tirasa S.r.l reviews the setup required to deploy Apereo CAS as a system service using systemd.

Apereo CAS - Python Locust Load Testing

Learn to Performance Test Apereo CAS with Python Locust.