CVE-2026-1554 – This XML Injection vulnerability in Drupal CAS ... (How to Fix)

Q: What is the severity of CVE-2026-1554?

CVE-2026-1554 has a CVSS score of 4.2 (MEDIUM). This XML Injection vulnerability in Drupal CAS Server allows attackers to manipulate XPath queries to escalate privileges. It affects Drupal sites using the CAS Server module for centralized authentication. Attackers could gain unauthorized access to sensitive data or administrative functions.

📋 TL;DR

This XML Injection vulnerability in Drupal CAS Server allows attackers to manipulate XPath queries to escalate privileges. It affects Drupal sites using the CAS Server module for centralized authentication. Attackers could gain unauthorized access to sensitive data or administrative functions.

💻 Affected Systems

Products:

Drupal Central Authentication System (CAS) Server

Versions: 0.0.0 to 2.0.2, 2.1.0 to 2.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with CAS Server module enabled and configured.

📦 What is this software?

Central Authentication System Server by Jtenman

View all CVEs affecting Central Authentication System Server →

Central Authentication System Server by Jtenman

View all CVEs affecting Central Authentication System Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative access to the Drupal site, allowing complete system compromise, data theft, or site defacement.

🟠

Likely Case

Privilege escalation to gain access to restricted content or user accounts beyond intended permissions.

🟢

If Mitigated

Limited impact with proper input validation and least privilege access controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires understanding of XPath injection techniques and CAS Server implementation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3 or 2.1.2

Vendor Advisory: https://www.drupal.org/sa-contrib-2026-007

Restart Required: No

Instructions:

1. Update CAS Server module to version 2.0.3 or 2.1.2 via Drupal's update manager. 2. Clear Drupal caches. 3. Verify module functionality.

🔧 Temporary Workarounds

Disable CAS Server Module

linux

Temporarily disable the vulnerable module until patching is possible

drush pm-disable cas_server

Implement Input Validation

all

Add custom input validation for XML/XPath inputs in CAS authentication

🧯 If You Can't Patch

Implement network segmentation to isolate CAS Server from critical systems
Enable detailed logging and monitoring for CAS authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check CAS Server module version in Drupal admin interface or via drush: drush pm-list | grep cas_server

Check Version:

drush pm-list --fields=name,version | grep cas_server

Verify Fix Applied:

Confirm module version is 2.0.3 or higher (for 2.0.x branch) or 2.1.2 or higher (for 2.1.x branch)

📡 Detection & Monitoring

Log Indicators:

Unusual XML payloads in authentication requests
Failed authentication attempts with malformed XML
Unexpected privilege changes in user accounts

Network Indicators:

XML payloads containing XPath injection patterns in CAS authentication traffic

SIEM Query:

source="drupal" AND ("cas_server" OR "cas authentication") AND ("xml" OR "xpath") AND ("injection" OR "malformed")

📊 Metadata

CVE ID: CVE-2026-1554

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-91

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: February 4, 2026

Last Updated: February 11, 2026

🔗 References

https://www.drupal.org/sa-contrib-2026-007 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1554, you might also want to check these: