Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
AnalysisAI
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity Provider to forge or replay SAML responses to /api/acs and obtain a valid session without an originating AuthnRequest. Because the SAML callback handler also processes responses using the IdP snapshot loaded at request start, a session can be issued even after an administrator has disabled or deleted the malicious IdP. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.01%, but the vulnerability was reported through CERT/CC and tagged as an Authentication Bypass.
Technical ContextAI
Casdoor is an open-source identity and access management (IAM) platform written in Go that federates authentication via SAML, OAuth, OIDC, and similar protocols. The defect lives in controllers/auth.go where the SAML Assertion Consumer Service endpoint (/api/acs) validates the cryptographic structure of an inbound SAMLResponse but does not bind the response to a prior outbound AuthnRequest (no RelayState/InResponseTo/state correlation), which is the SAML profile requirement designed to prevent unsolicited assertion and replay attacks. A second flaw - using the in-memory provider snapshot taken at request entry - means revocation of a malicious IdP does not affect requests already in flight, so administrative remediation has a TOCTOU gap. While the input lists CWE as N/A, the behavior maps to CWE-287 (Improper Authentication) and CWE-294 (Authentication Bypass by Capture-Replay), with the CPE cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:* matching all Casdoor builds at or below 2.362.0.
RemediationAI
No vendor-released patch identified at time of analysis - the supplied references include only the CERT/CC VU#780781 coordination note (https://kb.cert.org/vuls/id/780781) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-9098), with no fixed Casdoor release number disclosed. Operators should monitor the Casdoor GitHub project for a release above 2.362.0 that adds InResponseTo/RelayState binding and re-validates IdP state at assertion-processing time, and upgrade as soon as it is published. Until a fix ships, compensating controls include disabling SAML login entirely if not in use (eliminates the attack surface but breaks SSO for SAML-federated users), removing or temporarily un-trusting any third-party or multi-tenant upstream IdPs and leaving only fully controlled internal IdPs registered (reduces but does not remove risk where partner IdPs are required), placing /api/acs behind an authenticating reverse proxy or IP allow-list that restricts callbacks to the legitimate IdP egress ranges (effective only when IdP source addresses are stable and known), and increasing audit/alerting on Casdoor session-creation events that lack a matching outbound AuthnRequest correlation ID so replayed or unsolicited assertions can be detected post-hoc.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32952
GHSA-mfvp-7p3v-x9mh