Skip to main content

Casdoor CVE-2026-9090

| EUVDEUVD-2026-32941 CRITICAL
2026-05-28 certcc GHSA-fwgq-j9r9-qjgr
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 22:30 vuln.today
CVSS changed
May 29, 2026 - 20:22 NVD
9.1 (CRITICAL)
CVE Published
May 28, 2026 - 16:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key.

AnalysisAI

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticated attackers to forge SAML assertions signed with attacker-controlled keys, impersonating arbitrary users. The flaw resides in the buildSpCertificateStore function, which trusts the X.509 certificate embedded in the inbound SAMLResponse rather than validating against the pre-configured Identity Provider certificate. No public exploit identified at time of analysis, and EPSS is currently low (0.01%), but SSVC flags the issue as automatable with total technical impact.

Technical ContextAI

Casdoor is an open-source Identity-as-a-Service (IDaaS) and Single Sign-On platform that supports SAML 2.0 as a federation protocol (cpe:2.3:a:casdoor:casdoor). In a correctly implemented SAML Service Provider, the SP must verify the signature on the IdP's <Response> or <Assertion> using a certificate that was previously exchanged and pinned during federation setup (the IdP metadata or trust store). Here, buildSpCertificateStore extracts the X.509 certificate directly from the <ds:KeyInfo>/<ds:X509Certificate> element inside the incoming SAMLResponse and uses it to validate the signature - a classic improper-trust-establishment pattern aligned with CWE-347 (Improper Verification of Cryptographic Signature) and CWE-287 (Improper Authentication). Although the input lists CWE as N/A, the root cause is that the certificate used for verification is attacker-controlled, so any self-generated keypair will produce a 'valid' signature over a forged assertion.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied references - the EUVD entry lists 0 ≤ 2.362.0 as affected without naming a fixed release, so operators should monitor the Casdoor GitHub repository and CERT/CC VU#780781 (https://kb.cert.org/vuls/id/780781) for the upgrade target and apply it as soon as it is published. Until a fix is available, compensating controls should focus on the SAML SP code path: disable SAML-based login providers in Casdoor and force users onto OAuth/OIDC or local auth if business workflows permit (trade-off: breaks federated SSO with external IdPs); restrict network access to the SAML ACS (Assertion Consumer Service) endpoint to only the egress IP ranges of trusted IdPs via reverse-proxy ACLs or WAF rules (trade-off: will not stop an attacker who can spoof or reach from a trusted network segment, and breaks IdP-initiated SSO from roaming users); and add a WAF rule that strips or rejects SAMLResponse bodies containing inline <ds:X509Certificate> elements that do not match the fingerprint of the configured IdP certificate (trade-off: brittle, may break legitimate IdPs that include their cert in the response).

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9095 HIGH
8.1 May 28

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac

Share

CVE-2026-9090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy