Apereo CAS 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory

vulnerability-trend · item:apereo-cas-7-3-7-1-oidc-provider-coop-switzerland-reporter

Coverage timeline

first 2026-05-29 → last 2026-05-29

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-05-29CTI Daily Brief — 2026-05-29
active_threatsFirst coverage. CH-discovered (Coop Switzerland) OIDC IdP flaw in Apereo CAS; CERT-FR CERTFR-2026-AVI-0654. Full detail withheld pending grace window. Upgrade to 7.3.7.1 on OIDC-IdP deployments.

Where this entity is cited

active_threats1

Source distribution

apereo.github.io1 (50%)
cert.ssi.gouv.fr1 (50%)

Related entities

CERT-FR CERTFR-2026-ACT-016 — Agentic AI tool risks: prompt injection, MCP supply chain, sandboxing
campaignadvisory:certfr-2026-act-016×1
CERTFR-2026-AVI-0564 — SPIP < 4.4.14 multiple RCEs (public + private area)
campaignadvisory:certfr-2026-avi-0564×1
CERTFR-2026-AVI-0572 — Centreon Infra Monitoring April 2026 bulletin (RCE / SQLi / XSS cluster)
campaignadvisory:certfr-2026-avi-0572×1
NCSC Switzerland BACS assessment on AI in vulnerability management — defenders warned against over-reliance on AI detection
campaignadvisory:ncsc-ch-ai-vuln-mgmt-2026×1
SMS-blaster smishing establishing itself in Switzerland — portable IMSI-catchers force 2G downgrade, bypass operator SMS filtering
campaigntechnique:sms-blaster-ch-2026×1

All cited sources (2)

Items in briefs about Apereo CAS 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory (1)

Apereo CAS version 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory CERTFR-2026-AVI-0654

From CTI Daily Brief — 2026-05-29 · published 2026-05-29 · view item permalink →

The Apereo Foundation released CAS version 7.3.7.1 on 2026-05-27 fixing an unspecified vulnerability in the OpenID Connect identity-provider component of its Central Authentication Service. Apereo scoped the disclosure to deployments where CAS acts as an OIDC IdP (no explicit statement about non-OIDC deployments, but the scoping suggests SAML / Kerberos-only configurations are out of scope of this specific defect). The reporters are Artur Stoecklin and David Roth at Coop (Switzerland), who reported the issue to the Apereo team via the YesWeHack bug-bounty platform — a direct CH-discovered identity-infrastructure issue rather than a vendor-only disclosure. CERT-FR / ANSSI issued advisory CERTFR-2026-AVI-0654 on 2026-05-28 framing the impact as "un problème de sécurité non spécifié par l'éditeur" and recommending immediate patching. Full technical details are withheld pending the standard security grace window. Apereo CAS is the dominant open-source SSO platform in European higher education and is also deployed across Swiss federal and cantonal administrations.

Why it matters to us: CH-relevant identity infrastructure with an EU-wide deployment footprint and a CH-sourced disclosure. Until technical detail is public, prioritise upgrade to the fixed version 7.3.7.1 on any CAS instance acting as an OIDC IdP and monitor OIDC token-issuance logs for unexpected client_id values, anomalous sub claims and tokens granted to unregistered clients.