Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key.
AnalysisAI
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticated attackers to forge SAML assertions signed with attacker-controlled keys, impersonating arbitrary users. The flaw resides in the buildSpCertificateStore function, which trusts the X.509 certificate embedded in the inbound SAMLResponse rather than validating against the pre-configured Identity Provider certificate. No public exploit identified at time of analysis, and EPSS is currently low (0.01%), but SSVC flags the issue as automatable with total technical impact.
Technical ContextAI
Casdoor is an open-source Identity-as-a-Service (IDaaS) and Single Sign-On platform that supports SAML 2.0 as a federation protocol (cpe:2.3:a:casdoor:casdoor). In a correctly implemented SAML Service Provider, the SP must verify the signature on the IdP's <Response> or <Assertion> using a certificate that was previously exchanged and pinned during federation setup (the IdP metadata or trust store). Here, buildSpCertificateStore extracts the X.509 certificate directly from the <ds:KeyInfo>/<ds:X509Certificate> element inside the incoming SAMLResponse and uses it to validate the signature - a classic improper-trust-establishment pattern aligned with CWE-347 (Improper Verification of Cryptographic Signature) and CWE-287 (Improper Authentication). Although the input lists CWE as N/A, the root cause is that the certificate used for verification is attacker-controlled, so any self-generated keypair will produce a 'valid' signature over a forged assertion.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied references - the EUVD entry lists 0 ≤ 2.362.0 as affected without naming a fixed release, so operators should monitor the Casdoor GitHub repository and CERT/CC VU#780781 (https://kb.cert.org/vuls/id/780781) for the upgrade target and apply it as soon as it is published. Until a fix is available, compensating controls should focus on the SAML SP code path: disable SAML-based login providers in Casdoor and force users onto OAuth/OIDC or local auth if business workflows permit (trade-off: breaks federated SSO with external IdPs); restrict network access to the SAML ACS (Assertion Consumer Service) endpoint to only the egress IP ranges of trusted IdPs via reverse-proxy ACLs or WAF rules (trade-off: will not stop an attacker who can spoof or reach from a trusted network segment, and breaks IdP-initiated SSO from roaming users); and add a WAF rule that strips or rejects SAMLResponse bodies containing inline <ds:X509Certificate> elements that do not match the fingerprint of the configured IdP certificate (trade-off: brittle, may break legitimate IdPs that include their cert in the response).
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32941
GHSA-fwgq-j9r9-qjgr