CVE-2026-1554 is an XML Injection vulnerability categorized under CWE-91, specifically a Blind XPath Injection, affecting the Drupal Central Authentication System (CAS) Server. The vulnerability exists in the way the CAS Server processes XML input for authentication purposes. Versions from 0.0.0 before 2.0.3 and from 2.1.0 before 2.1.2 are vulnerable. An attacker can craft malicious XML payloads that manipulate XPath queries used internally by the CAS Server, bypassing intended access controls or escalating privileges. This injection flaw allows attackers to infer information about the XML structure and authentication logic without direct feedback (blind injection), making exploitation stealthy but effective. The vulnerability impacts the confidentiality and integrity of authentication mechanisms, potentially allowing unauthorized users to gain elevated access rights. No public exploits are currently known, but the vulnerability is published and should be considered a serious risk. The absence of a CVSS score necessitates a severity assessment based on the impact and exploitability. The flaw does not require user interaction but does require the attacker to send crafted XML requests to the CAS Server. The scope includes all systems running the affected versions of the Drupal CAS Server, which is commonly used in enterprise and government environments for centralized authentication. The vulnerability undermines trust in the authentication process, potentially leading to broader network compromise if exploited.

For European organizations, the impact of CVE-2026-1554 can be significant, especially those relying on Drupal CAS Server for centralized authentication across multiple services. Successful exploitation could lead to unauthorized privilege escalation, allowing attackers to impersonate legitimate users or administrators. This can result in unauthorized access to sensitive data, disruption of services, and potential lateral movement within networks. Given the critical role of authentication systems, compromise could undermine the security of entire IT infrastructures. Sectors such as government, finance, healthcare, and critical infrastructure operators in Europe are particularly at risk due to their reliance on robust authentication mechanisms. The stealthy nature of blind XPath injection complicates detection, increasing the risk of prolonged undetected intrusions. Additionally, the lack of known public exploits suggests that organizations may be unprepared, increasing the window of vulnerability. The impact extends beyond confidentiality to integrity and availability, as attackers might manipulate authentication flows or cause denial of service by exploiting malformed XML inputs.

To mitigate CVE-2026-1554, European organizations should immediately identify and inventory all instances of Drupal CAS Server in their environments. The primary mitigation is to upgrade affected CAS Server versions to the latest patched releases beyond 2.0.3 and 2.1.2, where the vulnerability is addressed. If immediate patching is not feasible, organizations should implement strict input validation and sanitization on all XML inputs processed by the CAS Server, ensuring that XPath queries cannot be manipulated. Employing XML parsing libraries that enforce schema validation and reject unexpected or malformed XML can reduce risk. Network-level controls such as Web Application Firewalls (WAFs) should be configured to detect and block suspicious XML payloads indicative of XPath injection attempts. Monitoring authentication logs for anomalies or repeated failed authentication attempts with unusual XML structures can help detect exploitation attempts early. Additionally, applying the principle of least privilege to CAS Server components and isolating authentication services can limit the blast radius of a successful attack. Organizations should also conduct penetration testing focused on XML injection vectors to validate their defenses.