๐Ÿ” CVE Alert

CVE-2026-59099

CRITICAL 9.1

Apereo CAS 7.3.0 < 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis to decrypt the webflow conversation state due to keystream reuse caused by a fixed all-zero IV paired with the same encryption key.

CWE CWE-323
Vendor apereo
Product cas
Published Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for apereo cas

Be the first to know when new critical vulnerabilities affecting apereo cas are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

apereo / cas
7.3.0 < 8.0.0-RC6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
apereo.github.io: https://apereo.github.io/2026/06/18/vuln/ github.com: https://github.com/apereo/cas/releases/tag/v8.0.0-RC6 github.com: https://github.com/geo-chen/oss/blob/main/cas.md github.com: https://github.com/apereo/cas/commit/22c6f4adf738852782309b523b4e80371057f2d0 vulncheck.com: https://www.vulncheck.com/advisories/apereo-cas-rc6-aes-gcm-nonce-reuse-information-disclosure

Credits

George Chen