Skip to main content

Casdoor EUVDEUVD-2026-32943

| CVE-2026-9092 CRITICAL
2026-05-28 certcc GHSA-qq8g-36vc-g254
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 01, 2026 - 19:26 vuln.today
CVSS changed
Jun 01, 2026 - 19:22 NVD
9.1 (CRITICAL)
CVE Published
May 28, 2026 - 16:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.

AnalysisAI

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by supplying unverified email claims from upstream identity providers. The getExistUserByBindingRule function matches users solely by email address without validating the email_verified claim, enabling cross-IdP account compromise. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), but the CVSS 9.1 reflects the severe identity-layer impact.

Technical ContextAI

Casdoor (cpe:2.3:a:casdoor:casdoor) is an open-source Identity and Access Management (IAM), Single Sign-On (SSO), and OAuth/OIDC provider written in Go. The vulnerability resides in the federated identity binding logic: when a user authenticates via an upstream Identity Provider (IdP), the getExistUserByBindingRule function attempts to link the upstream identity to an existing local account using the email claim as the matching key. However, the idp.UserInfo struct in Casdoor's IdP abstraction layer does not define an EmailVerified field, meaning the email_verified boolean claim mandated by OpenID Connect Core 1.0 (Section 5.1) is structurally discarded before binding decisions are made. The root cause is an improper authentication / trust boundary failure (conceptually CWE-287 or CWE-345), where unverified attribute data from a federated source is treated as authoritative for identity resolution. While the input lists the tag as 'Information Disclosure', this mischaracterizes the actual impact, which is account hijacking (integrity/confidentiality compromise of the victim account).

RemediationAI

No vendor-released patch identified at time of analysis - neither the CERT/CC note nor the NVD entry references a fixed Casdoor version or upstream commit. Operators should monitor the Casdoor GitHub repository and the CERT/CC advisory (https://kb.cert.org/vuls/id/780781) for a release above 2.362.0 that adds an EmailVerified field to idp.UserInfo and gates getExistUserByBindingRule on it. As compensating controls, restrict the configured upstream IdPs to only those that cryptographically attest verified emails (e.g., Google, Microsoft Entra, Okta) and remove or disable any IdP connector - particularly generic OAuth or self-hosted OIDC providers - where users can self-assert arbitrary email addresses (side effect: users of those IdPs lose SSO access). Disable the automatic email-based account-binding feature if the deployment exposes it as a configurable rule, forcing manual linking of federated identities to local accounts instead (side effect: increased onboarding friction). Audit existing user records for accounts bound from multiple IdPs sharing the same email and force password resets or re-verification for any high-privilege accounts.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

CVE-2026-9095 HIGH
8.1 May 28

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac

Share

EUVD-2026-32943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy