CVE-2026-1554 identifies a Blind XPath Injection vulnerability (CWE-91) in the Drupal Central Authentication System (CAS) Server, affecting versions prior to 2.0.3 and between 2.1.0 and 2.1.2. The vulnerability arises from improper sanitization of XML inputs used in authentication requests, allowing attackers to inject malicious XPath queries. These queries can manipulate the authentication logic, enabling privilege escalation by bypassing or altering access controls. The attack vector is network-based, requiring the attacker to have low privileges but no user interaction. The complexity is high due to the need to craft precise XPath injections without direct feedback (blind injection). The vulnerability impacts confidentiality and integrity by potentially exposing or modifying authentication credentials or session data, but does not affect availability. No patches are linked in the provided data, but upgrading to fixed versions beyond 2.0.3 and 2.1.2 is implied. No known exploits have been reported in the wild, suggesting limited active exploitation. The vulnerability is significant in environments where Drupal CAS Server is used for centralized authentication, especially in large organizations or critical infrastructure relying on secure identity management.

For European organizations, this vulnerability poses a risk of unauthorized privilege escalation within authentication systems, potentially leading to unauthorized access to sensitive applications and data. Compromise of the CAS Server could undermine the integrity of authentication processes, allowing attackers to impersonate users or administrators. This could result in data breaches, unauthorized transactions, or lateral movement within networks. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that rely on Drupal CAS for identity management are particularly at risk. The medium severity score reflects that while exploitation is not trivial, the consequences of successful attacks can be significant, especially in environments with sensitive or regulated data. The lack of known exploits reduces immediate risk but does not eliminate the need for prompt remediation to prevent future attacks.

1. Upgrade the Drupal CAS Server to versions later than 2.0.3 and 2.1.2 where the vulnerability is fixed. 2. Implement strict input validation and sanitization on all XML inputs to the authentication system to prevent injection of malicious XPath queries. 3. Employ XML parsing libraries that are hardened against injection attacks and disable unnecessary XML features that could be exploited. 4. Monitor authentication logs for unusual or suspicious XPath query patterns indicative of injection attempts. 5. Conduct regular security assessments and penetration testing focused on authentication mechanisms. 6. Apply network segmentation and access controls to limit exposure of the CAS Server to untrusted networks. 7. Educate developers and administrators about secure coding practices related to XML processing and authentication logic. 8. Maintain an incident response plan to quickly address any detected exploitation attempts.