Public administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure

The week put the public-sector identity and web estate under pressure from several directions at once, with a direct Swiss nexus. ILIAS LMS — the open-source learning platform deployed across German and Swiss public-sector and university estates — shipped nine fixes on 2026-05-27 including two critical access-control gaps (CVSS 9.8 and 9.3), with NCSC.ch flagging the SOAP interface as the primary unauthenticated attack surface (2026-05-28). In parallel, Apereo CAS patched an OIDC-provider flaw that was reported by Coop Switzerland, with CERT-FR issuing CERTFR-2026-AVI-0654 (2026-05-29) — relevant to any CH/EU entity running CAS as an OpenID Connect IdP. Further afield in the same estate class, Lithuania's Centre of Registers lost ~600,000 state-register records to abused institutional credentials with a foreign state suspected (2026-05-27), and Poland's Szafir SDK signature-verification bypass (CVE-2026-9058) struck e-government signing (2026-05-26). The cross-cutting takeaway: the contested surface for public administration this week was the identity and document/learning-platform middleware (SOAP endpoints, OIDC providers, signature SDKs), not the citizen-facing front ends.