DRUPAL-CONTRIB-2026-007

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cas_server/DRUPAL-CONTRIB-2026-007.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-007

Aliases

CVE-2026-1554

Published

2026-01-28T17:29:32Z

Modified

2026-01-28T18:41:17.297958Z

Summary

[none]

Details

This module enables you to turn a Drupal install into the Central Authentication System (CAS). It makes your database the primary location for other systems to use for authentication in a SSO environment.

The module doesn't sufficiently sanitize user-supplied field values configured to be included as attributes in a CAS server response.

This vulnerability is mitigated by the fact that an attacker must be authenticated, have the ability to enter XML into a user entity field, and that field be configured as a CAS Attribute source leading to an XML Element Injection vulnerability.

References

https://www.drupal.org/sa-contrib-2026-007

Credits

- Gaël Gosset (gaëlg)
- - https://www.drupal.org/u/ga%C3%ABlg

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/cas_server

Package

Name: drupal/cas_server
Purl: pkg:composer/drupal/cas_server

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.3

Database specific

{
    "constraint": "<2.0.3"
}

Type

ECOSYSTEM

Events

Introduced

2.1.0

Fixed

2.1.2

Database specific

{
    "constraint": ">=2.1.0 <2.1.2"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cas_server/DRUPAL-CONTRIB-2026-007.json"

affected_versions

"<2.0.3 || >=2.1.0 <2.1.2"