Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.
AnalysisAI
MFA enforcement in Casdoor 2.362.0 and earlier is completely bypassable via the social-login binding flow, where controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, granting fully authenticated sessions to users who should face a second factor. Remote unauthenticated attackers with access to a linked social identity provider account can exploit this to authenticate as any MFA-protected Casdoor user, nullifying MFA as a compensating control. No public exploit has been identified at time of analysis and EPSS probability is 0.02%, though SSVC classifies the attack as automatable, indicating scripted mass exploitation is technically feasible once targeting criteria are met.
Technical ContextAI
Casdoor is an open-source identity and access management platform providing SSO, OAuth 2.0, and social-login integration. The vulnerable code path resides in controllers/auth.go within the social-login account binding flow - the logic block that links external identity provider accounts (e.g., GitHub, Google OAuth/OIDC) to Casdoor user identities. In this path, upon successful binding, HandleLoggedIn is invoked directly to create an authenticated session, skipping the checkMfaEnable guard that would otherwise gate login behind a second factor. Although no CWE is formally assigned, the root cause class maps closely to CWE-287 (Improper Authentication) or CWE-304 (Missing Critical Step in Authentication). All Casdoor application instances are affected per CPE cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:*, covering every version from 0 through 2.362.0 inclusive as confirmed by ENISA EUVD-2026-32942.
RemediationAI
The primary remediation is to upgrade Casdoor to a version beyond 2.362.0 that includes a fix for the missing checkMfaEnable call in the social-login binding code path in controllers/auth.go; however, no specific patched release version number is confirmed in the available data, and the exact fix version must be verified directly from the Casdoor project maintainers and the CERT/CC advisory at https://kb.cert.org/vuls/id/780781 before deploying. As a compensating control while awaiting a confirmed patch, administrators should disable the social-login binding feature entirely if MFA enforcement is a hard security or compliance requirement - this eliminates the vulnerable code path at the cost of SSO convenience for social identity providers. Alternatively, restrict network access to the Casdoor social-login binding endpoint via reverse proxy or firewall rules to trusted IP ranges, reducing the automatable attack surface while accepting reduced availability for remote social-login users. Authentication logs should be actively monitored for sessions established via social-login paths that lack a corresponding MFA event as an anomaly detection measure.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32942
GHSA-gv4m-v8c8-hr3g