Skip to main content

Casdoor CVE-2026-9094

| EUVDEUVD-2026-32948 CRITICAL
2026-05-28 certcc GHSA-c9w5-qp6m-m395
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 19:30 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
9.8 (CRITICAL)
CVE Published
May 28, 2026 - 16:25 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 16:25 nvd
CRITICAL 9.8

DescriptionCVE.org

Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.

AnalysisAI

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to escalate privileges across organizational boundaries by exploiting incomplete JWT validation in the GetTokenExchangeToken function. While the signature is verified, the absence of an organization-scope check lets a valid token issued for one tenant be exchanged for tokens against applications belonging to a different tenant, breaking the multi-tenant trust model. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite a CVSS of 9.8.

Technical ContextAI

Casdoor is an open-source Identity and Access Management (IAM) and Single Sign-On (SSO) platform supporting OAuth 2.0, OIDC, SAML, CAS, and LDAP, deployed as a centralized authentication broker for multi-tenant environments. The flaw lives in object/token_oauth.go inside the GetTokenExchangeToken function, which implements RFC 8693 OAuth 2.0 Token Exchange. The handler correctly verifies the cryptographic signature of the incoming subject_token (JWT) but omits the authorization check that the embedded user identity belongs to the same Casdoor 'organization' (tenant) as the target client application. No CWE is assigned by NVD, but this aligns with CWE-863 (Incorrect Authorization) and CWE-1220 (Insufficient Granularity of Access Control) - a classic missing-tenant-boundary check in a federated identity system. The affected CPE is cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:* covering all versions up to and including 2.362.0 per ENISA EUVD-2026-32948.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data - the references include only the CERT/CC note (https://kb.cert.org/vuls/id/780781) and the NVD record (https://nvd.nist.gov/vuln/detail/CVE-2026-9094), so administrators should consult the upstream Casdoor GitHub repository for a release later than 2.362.0 that adds an organization-equality check in GetTokenExchangeToken before treating any version as fixed. Until a patched release is confirmed, compensating controls include disabling the OAuth 2.0 Token Exchange grant in any Casdoor application configuration that does not require it (side effect: breaks RFC 8693 delegation flows for legitimate clients), restricting network access to Casdoor administrative and token endpoints to trusted backends only via reverse-proxy or firewall ACLs (side effect: blocks public SSO flows if Casdoor fronts them), and disabling cross-tenant self-registration and reviewing all existing accounts in lower-trust organizations since any valid token in the instance can be leveraged (side effect: increases onboarding friction). Monitor token exchange events for mismatches between the subject_token's organization claim and the target application's owning organization, and rotate any credentials previously issued via vulnerable exchange flows.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

CVE-2026-9095 HIGH
8.1 May 28

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac

Share

CVE-2026-9094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy