View online: https://www.drupal.org/sa-contrib-2026-007
Project: Central Authentication System (CAS) Server [1] Date: 2026-January-28 Security risk: *Less critical* 6 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:Default [2] Vulnerability: XML Element Injection
Affected versions: <2.0.3 || >=2.1.0 <2.1.2 CVE IDs: CVE-2026-1554 Description: This module enables you to turn a Drupal install into the Central Authentication System (CAS). It makes your database the primary location for other systems to use for authentication in a SSO environment.
The module doesn't sufficiently sanitize user-supplied field values configured to be included as attributes in a CAS server response.
This vulnerability is mitigated by the fact that an attacker must be authenticated, have the ability to enter XML into a user entity field, and that field be configured as a CAS Attribute source leading to an XML Element Injection vulnerability.
Solution: Install the latest version:
* If you use the CAS Server module for Drupal >=9.1.x or 10.x, upgrade to CAS Server 2.0.3 [3] * If you use the CAS Server module for Drupal >=10.3.x or 11.x, upgrade to CAS Server 2.1.2 [4]
Reported By: * Gaël Gosset (gaëlg) [5]
Fixed By: * Ted Cooper (elc) [6] * Gaël Gosset (gaëlg) [7] * Jaap Jansma (jaapjansma) [8]
Coordinated By: * Greg Knaddison (greggles) [9] of the Drupal Security Team * Juraj Nemec (poker10) [10] of the Drupal Security Team
Security issue: https://git.drupalcode.org/security/30-cas_server-security/-/issues/1 [11] ------------------------------------------------------------------------------ Contribution record [12]
[1] https://www.drupal.org/project/cas_server [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/cas_server/releases/2.0.3 [4] https://www.drupal.org/project/cas_server/releases/2.1.2 [5] https://www.drupal.org/u/ga%C3%ABlg [6] https://www.drupal.org/u/elc [7] https://www.drupal.org/u/ga%C3%ABlg [8] https://www.drupal.org/u/jaapjansma [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/poker10 [11] https://git.drupalcode.org/security/30-cas_server-security/-/issues/1 [12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....