Skip to main content

Casdoor CVE-2026-9098

| EUVDEUVD-2026-32952 CRITICAL
2026-05-28 certcc GHSA-mfvp-7p3v-x9mh
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 17:22 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
9.1 (CRITICAL)
CVE Published
May 28, 2026 - 16:31 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.

AnalysisAI

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity Provider to forge or replay SAML responses to /api/acs and obtain a valid session without an originating AuthnRequest. Because the SAML callback handler also processes responses using the IdP snapshot loaded at request start, a session can be issued even after an administrator has disabled or deleted the malicious IdP. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.01%, but the vulnerability was reported through CERT/CC and tagged as an Authentication Bypass.

Technical ContextAI

Casdoor is an open-source identity and access management (IAM) platform written in Go that federates authentication via SAML, OAuth, OIDC, and similar protocols. The defect lives in controllers/auth.go where the SAML Assertion Consumer Service endpoint (/api/acs) validates the cryptographic structure of an inbound SAMLResponse but does not bind the response to a prior outbound AuthnRequest (no RelayState/InResponseTo/state correlation), which is the SAML profile requirement designed to prevent unsolicited assertion and replay attacks. A second flaw - using the in-memory provider snapshot taken at request entry - means revocation of a malicious IdP does not affect requests already in flight, so administrative remediation has a TOCTOU gap. While the input lists CWE as N/A, the behavior maps to CWE-287 (Improper Authentication) and CWE-294 (Authentication Bypass by Capture-Replay), with the CPE cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:* matching all Casdoor builds at or below 2.362.0.

RemediationAI

No vendor-released patch identified at time of analysis - the supplied references include only the CERT/CC VU#780781 coordination note (https://kb.cert.org/vuls/id/780781) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-9098), with no fixed Casdoor release number disclosed. Operators should monitor the Casdoor GitHub project for a release above 2.362.0 that adds InResponseTo/RelayState binding and re-validates IdP state at assertion-processing time, and upgrade as soon as it is published. Until a fix ships, compensating controls include disabling SAML login entirely if not in use (eliminates the attack surface but breaks SSO for SAML-federated users), removing or temporarily un-trusting any third-party or multi-tenant upstream IdPs and leaving only fully controlled internal IdPs registered (reduces but does not remove risk where partner IdPs are required), placing /api/acs behind an authenticating reverse proxy or IP allow-list that restricts callbacks to the legitimate IdP egress ranges (effective only when IdP source addresses are stable and known), and increasing audit/alerting on Casdoor session-creation events that lack a matching outbound AuthnRequest correlation ID so replayed or unsolicited assertions can be detected post-hoc.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

CVE-2026-9095 HIGH
8.1 May 28

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac

Share

CVE-2026-9098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy