Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.
AnalysisAI
SAML assertion time-bound enforcement is missing in Casdoor 2.362.0 and earlier, allowing remote attackers to present SAML assertions whose NotBefore/NotOnOrAfter windows have expired and still obtain valid user sessions. The underlying gosaml2 library does compute the time-validity result, but Casdoor's ParseSamlResponse() never reads the assertionInfo.WarningInfo field where those results are reported, so the check is silently discarded. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Technical ContextAI
Casdoor is an open-source identity and SSO platform that acts as a SAML 2.0 Service Provider via the russellhaering/gosaml2 Go library. SAML assertions carry <Conditions NotBefore="..." NotOnOrAfter="..."> elements that bound how long an assertion is valid; an SP MUST reject assertions outside that window (SAML Core §2.5.1.2). gosaml2 surfaces NotBefore/NotOnOrAfter validation outcomes through assertionInfo.WarningInfo rather than returning a hard error, so a caller that only inspects the returned error or the assertion payload - as Casdoor's ParseSamlResponse() does - will treat an expired or not-yet-valid assertion as acceptable. The root cause is an improper validation / missing check on time-based authentication data (CWE class is not assigned in the provided data, but this maps to the CWE-294 / CWE-613 / CWE-1390 family of authentication-data validation weaknesses).
RemediationAI
No vendor-released patch identified at time of analysis from the data provided; operators should monitor the Casdoor GitHub repository and the CERT/CC note at https://kb.cert.org/vuls/id/780781 for a fixed release above 2.362.0 and upgrade as soon as one is published. As compensating controls until a fix lands, configure the SAML Identity Provider to issue assertions with the shortest practical NotOnOrAfter window (minutes, not hours) so the reusable window is minimized, ensure the IdP enforces single-use assertions and short-lived sessions on its side (trade-off: more frequent re-authentication for users), require fresh AuthnRequest flows by setting ForceAuthn=true where supported, and front Casdoor's ACS endpoint with a reverse proxy or WAF that can drop replayed SAML POSTs by InResponseTo / assertion ID (trade-off: needs replay-cache state). Treating SAML AssertionConsumer endpoints as authenticated-session-issuance and restricting them behind network controls only where the IdP egresses is also worth considering.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32950
GHSA-rgq2-93gj-ffxg