Skip to main content

Casdoor CVE-2026-9096

| EUVDEUVD-2026-32950 HIGH
2026-05-28 certcc GHSA-rgq2-93gj-ffxg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 17:22 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
7.5 (HIGH)
CVE Published
May 28, 2026 - 16:27 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.

AnalysisAI

SAML assertion time-bound enforcement is missing in Casdoor 2.362.0 and earlier, allowing remote attackers to present SAML assertions whose NotBefore/NotOnOrAfter windows have expired and still obtain valid user sessions. The underlying gosaml2 library does compute the time-validity result, but Casdoor's ParseSamlResponse() never reads the assertionInfo.WarningInfo field where those results are reported, so the check is silently discarded. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

Technical ContextAI

Casdoor is an open-source identity and SSO platform that acts as a SAML 2.0 Service Provider via the russellhaering/gosaml2 Go library. SAML assertions carry <Conditions NotBefore="..." NotOnOrAfter="..."> elements that bound how long an assertion is valid; an SP MUST reject assertions outside that window (SAML Core §2.5.1.2). gosaml2 surfaces NotBefore/NotOnOrAfter validation outcomes through assertionInfo.WarningInfo rather than returning a hard error, so a caller that only inspects the returned error or the assertion payload - as Casdoor's ParseSamlResponse() does - will treat an expired or not-yet-valid assertion as acceptable. The root cause is an improper validation / missing check on time-based authentication data (CWE class is not assigned in the provided data, but this maps to the CWE-294 / CWE-613 / CWE-1390 family of authentication-data validation weaknesses).

RemediationAI

No vendor-released patch identified at time of analysis from the data provided; operators should monitor the Casdoor GitHub repository and the CERT/CC note at https://kb.cert.org/vuls/id/780781 for a fixed release above 2.362.0 and upgrade as soon as one is published. As compensating controls until a fix lands, configure the SAML Identity Provider to issue assertions with the shortest practical NotOnOrAfter window (minutes, not hours) so the reusable window is minimized, ensure the IdP enforces single-use assertions and short-lived sessions on its side (trade-off: more frequent re-authentication for users), require fresh AuthnRequest flows by setting ForceAuthn=true where supported, and front Casdoor's ACS endpoint with a reverse proxy or WAF that can drop replayed SAML POSTs by InResponseTo / assertion ID (trade-off: needs replay-cache state). Treating SAML AssertionConsumer endpoints as authenticated-session-issuance and restricting them behind network controls only where the IdP egresses is also worth considering.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

Share

CVE-2026-9096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy