{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "7.3.0"
              },
              {
                "fixed": "8.0.0-RC6"
              }
            ],
            "source": [
              "DESCRIPTION",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "7eaf9bbefb8acc431e8fe2da1d3692eb16dee60b"
            },
            {
              "fixed": "3ed874463a24f2a2dc130015ebb4ecd0540f7ef9"
            },
            {
              "fixed": "22c6f4adf738852782309b523b4e80371057f2d0"
            }
          ],
          "repo": "https://github.com/apereo/cas",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
      "CWE-323"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59099.json"
  },
  "details": "Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis to decrypt the webflow conversation state due to keystream reuse caused by a fixed all-zero IV paired with the same encryption key.",
  "id": "CVE-2026-59099",
  "modified": "2026-07-16T03:31:01.815859367Z",
  "published": "2026-07-02T19:42:51.897Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://apereo.github.io/2026/06/18/vuln/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59099.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/apereo/cas/releases/tag/v8.0.0-RC6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59099"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.vulncheck.com/advisories/apereo-cas-rc6-aes-gcm-nonce-reuse-information-disclosure"
    },
    {
      "type": "FIX",
      "url": "https://github.com/apereo/cas/commit/22c6f4adf738852782309b523b4e80371057f2d0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apereo/cas"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/geo-chen/oss/blob/main/cas.md"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apereo CAS 7.3.0 \u003c 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure"
}