Skip to main content

Casdoor CVE-2026-9091

| EUVDEUVD-2026-32942 MEDIUM
2026-05-28 certcc GHSA-gv4m-v8c8-hr3g
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 22:32 vuln.today
CVSS changed
May 29, 2026 - 20:22 NVD
5.3 (MEDIUM)
CVE Published
May 28, 2026 - 16:19 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.

AnalysisAI

MFA enforcement in Casdoor 2.362.0 and earlier is completely bypassable via the social-login binding flow, where controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, granting fully authenticated sessions to users who should face a second factor. Remote unauthenticated attackers with access to a linked social identity provider account can exploit this to authenticate as any MFA-protected Casdoor user, nullifying MFA as a compensating control. No public exploit has been identified at time of analysis and EPSS probability is 0.02%, though SSVC classifies the attack as automatable, indicating scripted mass exploitation is technically feasible once targeting criteria are met.

Technical ContextAI

Casdoor is an open-source identity and access management platform providing SSO, OAuth 2.0, and social-login integration. The vulnerable code path resides in controllers/auth.go within the social-login account binding flow - the logic block that links external identity provider accounts (e.g., GitHub, Google OAuth/OIDC) to Casdoor user identities. In this path, upon successful binding, HandleLoggedIn is invoked directly to create an authenticated session, skipping the checkMfaEnable guard that would otherwise gate login behind a second factor. Although no CWE is formally assigned, the root cause class maps closely to CWE-287 (Improper Authentication) or CWE-304 (Missing Critical Step in Authentication). All Casdoor application instances are affected per CPE cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:*, covering every version from 0 through 2.362.0 inclusive as confirmed by ENISA EUVD-2026-32942.

RemediationAI

The primary remediation is to upgrade Casdoor to a version beyond 2.362.0 that includes a fix for the missing checkMfaEnable call in the social-login binding code path in controllers/auth.go; however, no specific patched release version number is confirmed in the available data, and the exact fix version must be verified directly from the Casdoor project maintainers and the CERT/CC advisory at https://kb.cert.org/vuls/id/780781 before deploying. As a compensating control while awaiting a confirmed patch, administrators should disable the social-login binding feature entirely if MFA enforcement is a hard security or compliance requirement - this eliminates the vulnerable code path at the cost of SSO convenience for social identity providers. Alternatively, restrict network access to the Casdoor social-login binding endpoint via reverse proxy or firewall rules to trusted IP ranges, reducing the automatable attack surface while accepting reduced availability for remote social-login users. Authentication logs should be actively monitored for sessions established via social-login paths that lack a corresponding MFA event as an anomaly detection measure.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

Share

CVE-2026-9091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy