Skip to main content

Casdoor CVE-2026-9097

| EUVDEUVD-2026-32951 CRITICAL
2026-05-28 certcc GHSA-339w-3hqm-9pjc
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 17:22 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
9.8 (CRITICAL)
CVE Published
May 28, 2026 - 16:29 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 16:29 nvd
CRITICAL 9.8

DescriptionCVE.org

Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.

AnalysisAI

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthenticated attackers to continue using stolen or revoked JWTs indefinitely via the OAuth token exchange endpoint. The GetTokenExchangeToken() function validates JWT signatures but never checks the Token table for revocation status, breaking a core security guarantee of the identity provider. EPSS exploitation probability is currently very low (0.02%, 5th percentile) and no public exploit is identified, though the 9.8 CVSS reflects the high impact on authentication boundaries.

Technical ContextAI

Casdoor is an open-source identity and access management (IAM) platform implementing OAuth 2.0, OIDC, SAML, and related federation protocols, distributed via the casdoor:casdoor CPE. The defect lives in object/token_oauth.go within the OAuth 2.0 Token Exchange flow (RFC 8693), where the subject_token presented by the client is cryptographically validated for signature and claim integrity but is never reconciled against the server-side Token table that tracks revocation state. Although no CWE was assigned in the input, the behavior aligns with CWE-613 (Insufficient Session Expiration) and CWE-287 (Improper Authentication), since signature-only JWT validation without a stateful revocation check is a well-known anti-pattern for systems that expose explicit revocation APIs.

RemediationAI

Upgrade Casdoor to a release later than 2.362.0 that introduces a revocation lookup in GetTokenExchangeToken(); no exact fixed version was provided in the input, so confirm the patched version via the CERT/CC advisory at https://kb.cert.org/vuls/id/780781 and the Casdoor project release notes before deploying. As a compensating control until patched, disable or restrict the OAuth 2.0 token exchange grant type (urn:ietf:params:oauth:grant-type:token-exchange) at the application or reverse-proxy layer, which prevents the vulnerable code path from being reached but breaks any legitimate delegation/impersonation flows that rely on token exchange. Additionally, shorten access token lifetimes aggressively so revocation-by-expiration approximates real revocation (trade-off: increased refresh traffic and user-visible re-authentication), and front Casdoor with a gateway that maintains its own revocation list keyed on the JWT jti claim. Rotate any tokens believed to be compromised by rotating signing keys (kid), which invalidates all outstanding JWTs at once but forces a global re-authentication event.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

CVE-2026-9095 HIGH
8.1 May 28

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac

Share

CVE-2026-9097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy