Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.
AnalysisAI
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to escalate privileges across organizational boundaries by exploiting incomplete JWT validation in the GetTokenExchangeToken function. While the signature is verified, the absence of an organization-scope check lets a valid token issued for one tenant be exchanged for tokens against applications belonging to a different tenant, breaking the multi-tenant trust model. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite a CVSS of 9.8.
Technical ContextAI
Casdoor is an open-source Identity and Access Management (IAM) and Single Sign-On (SSO) platform supporting OAuth 2.0, OIDC, SAML, CAS, and LDAP, deployed as a centralized authentication broker for multi-tenant environments. The flaw lives in object/token_oauth.go inside the GetTokenExchangeToken function, which implements RFC 8693 OAuth 2.0 Token Exchange. The handler correctly verifies the cryptographic signature of the incoming subject_token (JWT) but omits the authorization check that the embedded user identity belongs to the same Casdoor 'organization' (tenant) as the target client application. No CWE is assigned by NVD, but this aligns with CWE-863 (Incorrect Authorization) and CWE-1220 (Insufficient Granularity of Access Control) - a classic missing-tenant-boundary check in a federated identity system. The affected CPE is cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:* covering all versions up to and including 2.362.0 per ENISA EUVD-2026-32948.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data - the references include only the CERT/CC note (https://kb.cert.org/vuls/id/780781) and the NVD record (https://nvd.nist.gov/vuln/detail/CVE-2026-9094), so administrators should consult the upstream Casdoor GitHub repository for a release later than 2.362.0 that adds an organization-equality check in GetTokenExchangeToken before treating any version as fixed. Until a patched release is confirmed, compensating controls include disabling the OAuth 2.0 Token Exchange grant in any Casdoor application configuration that does not require it (side effect: breaks RFC 8693 delegation flows for legitimate clients), restricting network access to Casdoor administrative and token endpoints to trusted backends only via reverse-proxy or firewall ACLs (side effect: blocks public SSO flows if Casdoor fronts them), and disabling cross-tenant self-registration and reviewing all existing accounts in lower-trust organizations since any valid token in the instance can be leveraged (side effect: increases onboarding friction). Monitor token exchange events for mismatches between the subject_token's organization claim and the target application's owning organization, and rotate any credentials previously issued via vulnerable exchange flows.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32948
GHSA-c9w5-qp6m-m395