Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007

Project:

Central Authentication System (CAS) Server

Date:

2026-January-28

Security risk:

Less critical 6 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:Default

Vulnerability:

XML Element Injection

Affected versions:

<2.0.3 || >=2.1.0 <2.1.2

CVE IDs:

CVE-2026-1554

Description:

This module enables you to turn a Drupal install into the Central Authentication System (CAS). It makes your database the primary location for other systems to use for authentication in a SSO environment.

The module doesn't sufficiently sanitize user-supplied field values configured to be included as attributes in a CAS server response.

This vulnerability is mitigated by the fact that an attacker must be authenticated, have the ability to enter XML into a user entity field, and that field be configured as a CAS Attribute source leading to an XML Element Injection vulnerability.

Solution:

Install the latest version:

If you use the CAS Server module for Drupal >=9.1.x or 10.x, upgrade to CAS Server 2.0.3
If you use the CAS Server module for Drupal >=10.3.x or 11.x, upgrade to CAS Server 2.1.2

Reported By:

Gaël Gosset (gaëlg)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community