Overview

This is an initial Apereo CAS project vulnerability disclosure, describing an issue in CAS acting and running as an OpenID Connect provider. Additional details will be made public once the security grace window has passed.

For additional details on how security issues, patches and announcements are handled, please read the Apereo CAS project vulnerability disclosure process.

Credits

This issue was originally reported to the team at Coop (Switzerland), namely Artur Stoecklin and David Roth, via the YesWeHack platform, which is a “global crowdsourced security and bug bounty platform that connects organizations with a vetted community of tens of thousands of ethical (white-hat) hackers to identify and report vulnerabilities in websites, mobile apps, and infrastructure”. Both the original reporter as well as the team at YesWeHack shared complete and thorough instructions on how this vulnerability can be observed and exercised. The team at Coop (Switzerland) further validated and tested the fix.

Thank you everyone!

Affected Deployments

The problem addressed here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:

- 7.3.x

If your CAS version is not listed above AND is still part of an active maintenance cycle per the CAS maintenance policy, then best effort (analysis or confirmation from reporters/testers) indicates that the version is not affected by this issue. That said, please note that per the project’s Apache2 license, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. For additional information, please see the project license.

If you are (or your institution is) a member of the Apereo foundation with an active support subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.

Severity

You are affected by this security vulnerability IF AND ONLY IF your CAS deployment is acting and running as an OpenID Connect identity provider. Additional details will be made public once the security grace window has passed.

If your deployment does not pass the noted condition(s) above, there is nothing for you to do here. Keep calm and carry on.

Timeline

The issue was originally reported to the team at Coop (Switzerland) on May 5th, 2026 and was shared with the CAS project on May 22nd, 2026. Upon confirmation, CAS releases were patched and eventually published on May 27th, 2026.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Affected Versions

7.3.x

Modify your CAS overlay to point to the version 7.3.7.1.

How to upgrade

• Locate your gradle.properties file in your CAS overlay, found at the root of the project.
• Modify your CAS version to point to the approriate release version noted above by updating the cas.version property.
• Follow the instructions in the README.md file to build the server, i.e. ./gradlew[.bat] clean build.

Support

Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation. Support options may be found here.

If you or your institution is a member of the Apereo foundation with an active CAS subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability.

Resources

• CAS Security Vulnerability Response Model
• CAS Maintenance Policy
• CAS Mailing Lists

On behalf of the CAS Application Security working group,

Misagh Moayyed