Skip to main content

Casdoor CVE-2026-9093

| EUVDEUVD-2026-32945 CRITICAL
2026-05-28 certcc GHSA-3w4h-g9f5-j84p
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 19:30 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
9.8 (CRITICAL)
CVE Published
May 28, 2026 - 16:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.

AnalysisAI

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arbitrary users by replaying SAML assertions issued for unrelated service providers, because the SP implementation never sets AudienceURI nor inspects NotInAudience warnings from gosaml2. Despite a 9.8 CVSS, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis, though the flaw is reported by CERT/CC which indicates coordinated disclosure rigor.

Technical ContextAI

Casdoor is an open-source identity and access management (IAM) platform supporting OAuth, SAML, CAS and other federated authentication protocols, and it embeds the gosaml2 library to act as a SAML Service Provider. SAML assertions contain an AudienceRestriction element naming the intended SP audience URI; correct SPs MUST reject assertions whose Audience does not match their own AudienceURI (a check the gosaml2 library exposes via the SAMLServiceProvider.AudienceURI field and the WarningInfo.NotInAudience flag). In object/saml_sp.go, the buildSp function instantiates the SP without populating AudienceURI and never inspects the NotInAudience warning, so the audience binding check is silently skipped. This is a classic CWE-287 / CWE-347 class issue (improper authentication / improper verification of cryptographic signature scope) - the assertion signature may be valid, but its scope binding to the intended relying party is not enforced.

RemediationAI

No vendor-released patch identified at time of analysis from the provided references - the EUVD and CERT/CC VU#780781 entries do not cite a fixed Casdoor release version. Operators should monitor the Casdoor GitHub repository (casdoor/casdoor) for a release that updates object/saml_sp.go to populate the AudienceURI field on the gosaml2 SAMLServiceProvider struct and to reject assertions when WarningInfo.NotInAudience is true, and upgrade as soon as such a release is published. As a compensating control until then, configure the upstream IdP to issue Casdoor-bound assertions from a dedicated signing key or dedicated IdP entity that no other SP trusts, so cross-SP assertion replay becomes infeasible; alternatively, disable the SAML SP login flow in Casdoor and require an alternative protocol such as OIDC if the deployment supports it, accepting the side effect of breaking any existing SAML SSO integrations. If SAML must remain enabled, restrict network access to the Casdoor SAML ACS endpoint to known IdP egress addresses to raise the bar for assertion injection. Track https://kb.cert.org/vuls/id/780781 for updates.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

CVE-2026-9095 HIGH
8.1 May 28

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac

Share

CVE-2026-9093 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy