SYS::ONLINE
Wasteland.
Briefs1090
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-59099 2026-07-02

CVE-2026-59099: AES-GCM Nonce Reuse in Apereo CAS Leaks Login Session State

"A critical cryptographic flaw in Apereo CAS lets remote, unauthenticated attackers decrypt webflow conversation state by exploiting a fixed all-zero AES-GCM initialization vector reused across the server's lifetime."

A critical cryptographic flaw in Apereo CAS lets remote, unauthenticated attackers decrypt webflow conversation state by exploiting a fixed all-zero AES-GCM initialization vector reused across the server's lifetime.

What Is It

CVE-2026-59099 is a cryptographic vulnerability (CWE-323, "Reusing a Nonce/Key Pair in Encryption") in Apereo CAS, the widely deployed open-source single sign-on and identity server. The affected builds pair a fixed all-zero initialization vector with the same AES-GCM encryption key for the entire server lifetime. Because the IV and key never change, the keystream is reused, breaking the confidentiality guarantees of AES-GCM.

An attacker can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis against them. This keystream reuse allows recovery of the plaintext webflow conversation state without any credentials.

Why It Matters

The flaw carries a CVSS 3.1 base score of 9.1 (CRITICAL) and a CVSS 4.0 score of 9.3 (CRITICAL). It is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs no user interaction (UI:N). Impact is rated HIGH for both confidentiality and integrity.

Because CAS is an authentication gateway, exposure of the encrypted conversation state undermines the trust boundary of the login flow itself, and the exploit path begins entirely from the unauthenticated login page.

What's Vulnerable

There is no CISA KEV entry in the supplied source material, so active exploitation is not confirmed by KEV at this time.

Patch Status

The issue is fixed in Apereo CAS 8.0.0-RC6. A corresponding fix commit (22c6f4a) is published in the project repository. Operators running affected 7.3.0-through-pre-RC6 builds should upgrade to 8.0.0-RC6 or later.

Sources