Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
AnalysisAI
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arbitrary users by replaying SAML assertions issued for unrelated service providers, because the SP implementation never sets AudienceURI nor inspects NotInAudience warnings from gosaml2. Despite a 9.8 CVSS, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis, though the flaw is reported by CERT/CC which indicates coordinated disclosure rigor.
Technical ContextAI
Casdoor is an open-source identity and access management (IAM) platform supporting OAuth, SAML, CAS and other federated authentication protocols, and it embeds the gosaml2 library to act as a SAML Service Provider. SAML assertions contain an AudienceRestriction element naming the intended SP audience URI; correct SPs MUST reject assertions whose Audience does not match their own AudienceURI (a check the gosaml2 library exposes via the SAMLServiceProvider.AudienceURI field and the WarningInfo.NotInAudience flag). In object/saml_sp.go, the buildSp function instantiates the SP without populating AudienceURI and never inspects the NotInAudience warning, so the audience binding check is silently skipped. This is a classic CWE-287 / CWE-347 class issue (improper authentication / improper verification of cryptographic signature scope) - the assertion signature may be valid, but its scope binding to the intended relying party is not enforced.
RemediationAI
No vendor-released patch identified at time of analysis from the provided references - the EUVD and CERT/CC VU#780781 entries do not cite a fixed Casdoor release version. Operators should monitor the Casdoor GitHub repository (casdoor/casdoor) for a release that updates object/saml_sp.go to populate the AudienceURI field on the gosaml2 SAMLServiceProvider struct and to reject assertions when WarningInfo.NotInAudience is true, and upgrade as soon as such a release is published. As a compensating control until then, configure the upstream IdP to issue Casdoor-bound assertions from a dedicated signing key or dedicated IdP entity that no other SP trusts, so cross-SP assertion replay becomes infeasible; alternatively, disable the SAML SP login flow in Casdoor and require an alternative protocol such as OIDC if the deployment supports it, accepting the side effect of breaking any existing SAML SSO integrations. If SAML must remain enabled, restrict network access to the Casdoor SAML ACS endpoint to known IdP egress addresses to raise the bar for assertion injection. Track https://kb.cert.org/vuls/id/780781 for updates.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32945
GHSA-3w4h-g9f5-j84p