Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.
AnalysisAI
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthenticated attackers to continue using stolen or revoked JWTs indefinitely via the OAuth token exchange endpoint. The GetTokenExchangeToken() function validates JWT signatures but never checks the Token table for revocation status, breaking a core security guarantee of the identity provider. EPSS exploitation probability is currently very low (0.02%, 5th percentile) and no public exploit is identified, though the 9.8 CVSS reflects the high impact on authentication boundaries.
Technical ContextAI
Casdoor is an open-source identity and access management (IAM) platform implementing OAuth 2.0, OIDC, SAML, and related federation protocols, distributed via the casdoor:casdoor CPE. The defect lives in object/token_oauth.go within the OAuth 2.0 Token Exchange flow (RFC 8693), where the subject_token presented by the client is cryptographically validated for signature and claim integrity but is never reconciled against the server-side Token table that tracks revocation state. Although no CWE was assigned in the input, the behavior aligns with CWE-613 (Insufficient Session Expiration) and CWE-287 (Improper Authentication), since signature-only JWT validation without a stateful revocation check is a well-known anti-pattern for systems that expose explicit revocation APIs.
RemediationAI
Upgrade Casdoor to a release later than 2.362.0 that introduces a revocation lookup in GetTokenExchangeToken(); no exact fixed version was provided in the input, so confirm the patched version via the CERT/CC advisory at https://kb.cert.org/vuls/id/780781 and the Casdoor project release notes before deploying. As a compensating control until patched, disable or restrict the OAuth 2.0 token exchange grant type (urn:ietf:params:oauth:grant-type:token-exchange) at the application or reverse-proxy layer, which prevents the vulnerable code path from being reached but breaks any legitimate delegation/impersonation flows that rely on token exchange. Additionally, shorten access token lifetimes aggressively so revocation-by-expiration approximates real revocation (trade-off: increased refresh traffic and user-visible re-authentication), and front Casdoor with a gateway that maintains its own revocation list keyed on the JWT jti claim. Rotate any tokens believed to be compromised by rotating signing keys (kid), which invalidates all outstanding JWTs at once but forces a global re-authentication event.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32951
GHSA-339w-3hqm-9pjc