Skip to main content

Casdoor CVE-2026-9095

| EUVDEUVD-2026-32949 HIGH
Authentication Bypass by Capture-replay (CWE-294)
2026-05-28 certcc GHSA-jcmp-phfm-38x8
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 19:22 vuln.today
CVSS changed
May 28, 2026 - 18:22 NVD
8.1 (HIGH)
CVE Published
May 28, 2026 - 16:25 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.

AnalysisAI

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijack any user account, including administrators, without credentials or MFA. The SAML service provider implementation lacks assertion ID caching, OneTimeUse condition enforcement, and any form of replay detection, making any intercepted assertion indefinitely reusable. No public exploit identified at time of analysis, but the vulnerability was disclosed via CERT/CC (VU#780781), indicating coordinated vendor notification.

Technical ContextAI

Casdoor is an open-source identity and access management (IAM) platform supporting OAuth, SAML, OIDC, and other federation protocols. The flaw resides in object/saml_sp.go where ParseSamlResponse() invokes sp.RetrieveAssertionInfo() and binds the returned subject to a session without performing the SAML replay-protection steps mandated by the SAML 2.0 Core specification (Section 4.1.4.5). CWE-294 (Authentication Bypass by Capture-Replay) captures the root cause: SAML responses must be uniquely consumed via an assertion ID cache, NotOnOrAfter window enforcement, and honoring the <OneTimeUse> Condition - none of which exist in the SP code path. The affected product is identified by cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:*.

RemediationAI

No vendor-released patch identified at time of analysis - neither the CERT/CC note nor the NVD reference cites a fixed version, so operators should monitor the Casdoor GitHub repository for an update to object/saml_sp.go that introduces an assertion ID replay cache and OneTimeUse enforcement. As compensating controls, disable the SAML SSO provider in Casdoor and fall back to OAuth/OIDC if feasible (trade-off: requires reconfiguring downstream applications); enforce short SAML assertion lifetimes (NotOnOrAfter window of 1-2 minutes) at the IdP to shrink the replay window (trade-off: clock-skew-related login failures); ensure HTTPS with strict TLS for both IdP and SP endpoints to prevent on-path assertion capture; restrict network egress/ingress so SAML traffic cannot be observed by untrusted intermediaries; and rotate administrator passwords and revoke active sessions if compromise is suspected. Track the advisory at https://kb.cert.org/vuls/id/780781 for patch release notification.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

Share

CVE-2026-9095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy