Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in Casdoor 2.356.0 webhook URL handler allows authenticated remote attackers with high privileges to trigger SSRF attacks through webhook URL manipulation, enabling potential access to internal network resources. No public exploit code or active exploitation has been identified; CVSS 5.1 reflects limited confidentiality and integrity impact despite remote network accessibility.
Technical ContextAI
Casdoor's webhook URL handler component fails to properly validate or restrict the destination URLs that can be specified for webhook callbacks. This enables server-side request forgery (CWE-918), a class of vulnerability where an attacker manipulates server-side HTTP requests to access internal resources, bypassing network segmentation and access controls. The vulnerability resides in the webhook configuration mechanism, where user-supplied URLs are processed server-side without adequate sanitization. The affected product is identified via CPE as Casdoor (cpe:2.3:a:n/a:casdoor), with version 2.356.0 explicitly confirmed vulnerable. SSRF vulnerabilities in webhook handlers are particularly dangerous because webhooks inherently require outbound network requests, making legitimate and malicious traffic difficult to distinguish.
RemediationAI
Apply a patched version of Casdoor released after version 2.356.0 once vendor fixes become available. As a temporary mitigation, restrict webhook URL configuration to authenticated high-privilege accounts only, implement network-level restrictions on outbound connections from the Casdoor server to internal IP ranges (RFC 1918 addresses, localhost, 169.254.x.x), and use allowlist-based URL validation to restrict webhook destinations to approved external hosts. Monitor webhook configuration changes and outbound connections for anomalous behavior. Note: the vendor did not respond to early disclosure notifications, so updates may require monitoring Casdoor's public repository or release announcements directly.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18658
GHSA-p8c7-hjc4-gwf8