Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
AnalysisAI
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijack any user account, including administrators, without credentials or MFA. The SAML service provider implementation lacks assertion ID caching, OneTimeUse condition enforcement, and any form of replay detection, making any intercepted assertion indefinitely reusable. No public exploit identified at time of analysis, but the vulnerability was disclosed via CERT/CC (VU#780781), indicating coordinated vendor notification.
Technical ContextAI
Casdoor is an open-source identity and access management (IAM) platform supporting OAuth, SAML, OIDC, and other federation protocols. The flaw resides in object/saml_sp.go where ParseSamlResponse() invokes sp.RetrieveAssertionInfo() and binds the returned subject to a session without performing the SAML replay-protection steps mandated by the SAML 2.0 Core specification (Section 4.1.4.5). CWE-294 (Authentication Bypass by Capture-Replay) captures the root cause: SAML responses must be uniquely consumed via an assertion ID cache, NotOnOrAfter window enforcement, and honoring the <OneTimeUse> Condition - none of which exist in the SP code path. The affected product is identified by cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:*.
RemediationAI
No vendor-released patch identified at time of analysis - neither the CERT/CC note nor the NVD reference cites a fixed version, so operators should monitor the Casdoor GitHub repository for an update to object/saml_sp.go that introduces an assertion ID replay cache and OneTimeUse enforcement. As compensating controls, disable the SAML SSO provider in Casdoor and fall back to OAuth/OIDC if feasible (trade-off: requires reconfiguring downstream applications); enforce short SAML assertion lifetimes (NotOnOrAfter window of 1-2 minutes) at the IdP to shrink the replay window (trade-off: clock-skew-related login failures); ensure HTTPS with strict TLS for both IdP and SP endpoints to prevent on-path assertion capture; restrict network egress/ingress so SAML traffic cannot be observed by untrusted intermediaries; and rotate administrator passwords and revoke active sessions if compromise is suspected. Track the advisory at https://kb.cert.org/vuls/id/780781 for patch release notification.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32949
GHSA-jcmp-phfm-38x8