A critical cryptographic flaw in Apereo CAS lets remote, unauthenticated attackers decrypt webflow conversation state by exploiting a fixed all-zero AES-GCM initialization vector reused across the server's lifetime.
What Is It
CVE-2026-59099 is a cryptographic vulnerability (CWE-323, "Reusing a Nonce/Key Pair in Encryption") in Apereo CAS, the widely deployed open-source single sign-on and identity server. The affected builds pair a fixed all-zero initialization vector with the same AES-GCM encryption key for the entire server lifetime. Because the IV and key never change, the keystream is reused, breaking the confidentiality guarantees of AES-GCM.
An attacker can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis against them. This keystream reuse allows recovery of the plaintext webflow conversation state without any credentials.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.1 (CRITICAL) and a CVSS 4.0 score of 9.3 (CRITICAL). It is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs no user interaction (UI:N). Impact is rated HIGH for both confidentiality and integrity.
Because CAS is an authentication gateway, exposure of the encrypted conversation state undermines the trust boundary of the login flow itself, and the exploit path begins entirely from the unauthenticated login page.
What's Vulnerable
- Vendor/Product: Apereo CAS
- Affected versions: 7.3.0 up to (but not including) 8.0.0-RC6
There is no CISA KEV entry in the supplied source material, so active exploitation is not confirmed by KEV at this time.
Patch Status
The issue is fixed in Apereo CAS 8.0.0-RC6. A corresponding fix commit (22c6f4a) is published in the project repository. Operators running affected 7.3.0-through-pre-RC6 builds should upgrade to 8.0.0-RC6 or later.