Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN533
_____________________________________________________________________

DATE                : 21/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apereo CAS Java CAS Client
                              versions prior to 4.1.1.

=====================================================================
https://apereo.github.io/2026/05/20/casc-jwt-vuln/
_____________________________________________________________________

Java CAS Cliuent JWT Vulnerability Disclosure
Wednesday, May 20, 2026

Overview

This is an Apereo CAS project vulnerability disclosure, describing an
issue in the Java CAS Client while validating tickets issued as JWT.

For additional details on how security issues, patches and
announcements are handled, please read the Apereo CAS project
vulnerability disclosure process.


Credits

This issue was reported to the project by a third-party researcher
and was then further validated tested by Mr. Jérôme Leleu, who is a
project member and an active committer.

Thank you everyone!


Affected Deployments

If you have an application that uses the Java CAS client to intergrate
with a CAS server and is configured to accept and validate JWTs from
that server, you are affected and do need to upgrade. If this
condition does not pass for your application deployments, there is
nothing for you to do here. Keep calm and carry on.

If you or your institution is a member of the Apereo foundation with
an active support subscription supporting the CAS project, please
contact the CAS subs working group to learn more about this security
vulnerability report.


Timeline

The issue was originally reported on May 2nd 2026, and upon
confirmation, Java CAS client releases were patched and eventually
published on May 20th, 2026.


Patching

Upgrade your applications to use Java CAS client’s version 4.1.1.


Support

Apereo CAS is Apache v2 open source software under the sponsorship
of the Apereo Foundation. Support options may be found here.

If you or your institution is a member of the Apereo foundation
with an active CAS subscription supporting the CAS project, please
contact the CAS subs working group to learn more about this
security vulnerability.

Resources

    CAS Security Vulnerability Response Model
    CAS Maintenance Policy
    CAS Mailing Lists

On behalf of the CAS Application Security working group,

Misagh Moayyed

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================