Skip to main content

Casdoor

18 CVEs product

Monthly

CVE-2026-9098 Go CRITICAL GHSA Act Now

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity Provider to forge or replay SAML responses to /api/acs and obtain a valid session without an originating AuthnRequest. Because the SAML callback handler also processes responses using the IdP snapshot loaded at request start, a session can be issued even after an administrator has disabled or deleted the malicious IdP. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.01%, but the vulnerability was reported through CERT/CC and tagged as an Authentication Bypass.

Authentication Bypass Casdoor
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-9097 Go CRITICAL GHSA Act Now

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthenticated attackers to continue using stolen or revoked JWTs indefinitely via the OAuth token exchange endpoint. The GetTokenExchangeToken() function validates JWT signatures but never checks the Token table for revocation status, breaking a core security guarantee of the identity provider. EPSS exploitation probability is currently very low (0.02%, 5th percentile) and no public exploit is identified, though the 9.8 CVSS reflects the high impact on authentication boundaries.

Microsoft Information Disclosure Casdoor
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9096 Go HIGH GHSA This Week

SAML assertion time-bound enforcement is missing in Casdoor 2.362.0 and earlier, allowing remote attackers to present SAML assertions whose NotBefore/NotOnOrAfter windows have expired and still obtain valid user sessions. The underlying gosaml2 library does compute the time-validity result, but Casdoor's ParseSamlResponse() never reads the assertionInfo.WarningInfo field where those results are reported, so the check is silently discarded. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

Denial Of Service Casdoor
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-9095 HIGH This Week

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijack any user account, including administrators, without credentials or MFA. The SAML service provider implementation lacks assertion ID caching, OneTimeUse condition enforcement, and any form of replay detection, making any intercepted assertion indefinitely reusable. No public exploit identified at time of analysis, but the vulnerability was disclosed via CERT/CC (VU#780781), indicating coordinated vendor notification.

Denial Of Service Casdoor
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-9094 Go CRITICAL PATCH GHSA Act Now

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to escalate privileges across organizational boundaries by exploiting incomplete JWT validation in the GetTokenExchangeToken function. While the signature is verified, the absence of an organization-scope check lets a valid token issued for one tenant be exchanged for tokens against applications belonging to a different tenant, breaking the multi-tenant trust model. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite a CVSS of 9.8.

Privilege Escalation Microsoft Casdoor
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9093 Go CRITICAL GHSA Act Now

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arbitrary users by replaying SAML assertions issued for unrelated service providers, because the SP implementation never sets AudienceURI nor inspects NotInAudience warnings from gosaml2. Despite a 9.8 CVSS, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis, though the flaw is reported by CERT/CC which indicates coordinated disclosure rigor.

Denial Of Service Casdoor
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9092 CRITICAL Act Now

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by supplying unverified email claims from upstream identity providers. The getExistUserByBindingRule function matches users solely by email address without validating the email_verified claim, enabling cross-IdP account compromise. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), but the CVSS 9.1 reflects the severe identity-layer impact.

Information Disclosure Casdoor
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-9091 Go MEDIUM This Month

MFA enforcement in Casdoor 2.362.0 and earlier is completely bypassable via the social-login binding flow, where controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, granting fully authenticated sessions to users who should face a second factor. Remote unauthenticated attackers with access to a linked social identity provider account can exploit this to authenticate as any MFA-protected Casdoor user, nullifying MFA as a compensating control. No public exploit has been identified at time of analysis and EPSS probability is 0.02%, though SSVC classifies the attack as automatable, indicating scripted mass exploitation is technically feasible once targeting criteria are met.

Authentication Bypass Casdoor
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9090 Go CRITICAL GHSA Act Now

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticated attackers to forge SAML assertions signed with attacker-controlled keys, impersonating arbitrary users. The flaw resides in the buildSpCertificateStore function, which trusts the X.509 certificate embedded in the inbound SAMLResponse rather than validating against the pre-configured Identity Provider certificate. No public exploit identified at time of analysis, and EPSS is currently low (0.01%), but SSVC flags the issue as automatable with total technical impact.

Denial Of Service Casdoor
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-6815 Go MEDIUM POC This Month

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary files to the filesystem by bypassing path sanitization in the storage sandbox. An attacker with administrative privileges can exploit insufficient input validation to create or overwrite files anywhere on the host system. EPSS score of 0.03% indicates minimal real-world exploitation probability despite the moderate CVSS 5.9 score, suggesting the vulnerability requires both authenticated access and administrative privileges that significantly limit practical attack surface.

Path Traversal Casdoor
NVD Exploit-DB VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-5469 Go MEDIUM This Month

Server-side request forgery in Casdoor 2.356.0 webhook URL handler allows authenticated remote attackers with high privileges to trigger SSRF attacks through webhook URL manipulation, enabling potential access to internal network resources. No public exploit code or active exploitation has been identified; CVSS 5.1 reflects limited confidentiality and integrity impact despite remote network accessibility.

SSRF Casdoor
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-5468 Go LOW Monitor

Stored cross-site scripting (XSS) in Casdoor 2.356.0 via the dangerouslySetInnerHTML function allows authenticated remote attackers to inject malicious scripts through the formCss, formCssMobile, or formSideHtml parameters. An attacker with authenticated access can craft payloads that execute arbitrary JavaScript in the context of other users' browsers when they view affected forms. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, indicating no coordinated patch timeline.

XSS Casdoor
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2024-41658 Go MEDIUM POC This Month

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Casdoor
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-41657 Go HIGH POC This Week

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Cors Misconfiguration Casdoor
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-41264 Go HIGH This Week

An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Casdoor
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-34927 Go MEDIUM POC This Month

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Casdoor
NVD GitHub Exploit-DB
CVSS 3.1
6.5
EPSS
3.1%
CVE-2022-44942 Go HIGH POC PATCH This Week

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Casdoor
NVD GitHub
CVSS 3.1
8.1
EPSS
0.9%
CVE-2022-38638 Go CRITICAL POC PATCH Act Now

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Casdoor
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity Provider to forge or replay SAML responses to /api/acs and obtain a valid session without an originating AuthnRequest. Because the SAML callback handler also processes responses using the IdP snapshot loaded at request start, a session can be issued even after an administrator has disabled or deleted the malicious IdP. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.01%, but the vulnerability was reported through CERT/CC and tagged as an Authentication Bypass.

Authentication Bypass Casdoor
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthenticated attackers to continue using stolen or revoked JWTs indefinitely via the OAuth token exchange endpoint. The GetTokenExchangeToken() function validates JWT signatures but never checks the Token table for revocation status, breaking a core security guarantee of the identity provider. EPSS exploitation probability is currently very low (0.02%, 5th percentile) and no public exploit is identified, though the 9.8 CVSS reflects the high impact on authentication boundaries.

Microsoft Information Disclosure Casdoor
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SAML assertion time-bound enforcement is missing in Casdoor 2.362.0 and earlier, allowing remote attackers to present SAML assertions whose NotBefore/NotOnOrAfter windows have expired and still obtain valid user sessions. The underlying gosaml2 library does compute the time-validity result, but Casdoor's ParseSamlResponse() never reads the assertionInfo.WarningInfo field where those results are reported, so the check is silently discarded. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

Denial Of Service Casdoor
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijack any user account, including administrators, without credentials or MFA. The SAML service provider implementation lacks assertion ID caching, OneTimeUse condition enforcement, and any form of replay detection, making any intercepted assertion indefinitely reusable. No public exploit identified at time of analysis, but the vulnerability was disclosed via CERT/CC (VU#780781), indicating coordinated vendor notification.

Denial Of Service Casdoor
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to escalate privileges across organizational boundaries by exploiting incomplete JWT validation in the GetTokenExchangeToken function. While the signature is verified, the absence of an organization-scope check lets a valid token issued for one tenant be exchanged for tokens against applications belonging to a different tenant, breaking the multi-tenant trust model. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite a CVSS of 9.8.

Privilege Escalation Microsoft Casdoor
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arbitrary users by replaying SAML assertions issued for unrelated service providers, because the SP implementation never sets AudienceURI nor inspects NotInAudience warnings from gosaml2. Despite a 9.8 CVSS, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis, though the flaw is reported by CERT/CC which indicates coordinated disclosure rigor.

Denial Of Service Casdoor
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by supplying unverified email claims from upstream identity providers. The getExistUserByBindingRule function matches users solely by email address without validating the email_verified claim, enabling cross-IdP account compromise. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), but the CVSS 9.1 reflects the severe identity-layer impact.

Information Disclosure Casdoor
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

MFA enforcement in Casdoor 2.362.0 and earlier is completely bypassable via the social-login binding flow, where controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, granting fully authenticated sessions to users who should face a second factor. Remote unauthenticated attackers with access to a linked social identity provider account can exploit this to authenticate as any MFA-protected Casdoor user, nullifying MFA as a compensating control. No public exploit has been identified at time of analysis and EPSS probability is 0.02%, though SSVC classifies the attack as automatable, indicating scripted mass exploitation is technically feasible once targeting criteria are met.

Authentication Bypass Casdoor
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticated attackers to forge SAML assertions signed with attacker-controlled keys, impersonating arbitrary users. The flaw resides in the buildSpCertificateStore function, which trusts the X.509 certificate embedded in the inbound SAMLResponse rather than validating against the pre-configured Identity Provider certificate. No public exploit identified at time of analysis, and EPSS is currently low (0.01%), but SSVC flags the issue as automatable with total technical impact.

Denial Of Service Casdoor
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM POC This Month

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary files to the filesystem by bypassing path sanitization in the storage sandbox. An attacker with administrative privileges can exploit insufficient input validation to create or overwrite files anywhere on the host system. EPSS score of 0.03% indicates minimal real-world exploitation probability despite the moderate CVSS 5.9 score, suggesting the vulnerability requires both authenticated access and administrative privileges that significantly limit practical attack surface.

Path Traversal Casdoor
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Server-side request forgery in Casdoor 2.356.0 webhook URL handler allows authenticated remote attackers with high privileges to trigger SSRF attacks through webhook URL manipulation, enabling potential access to internal network resources. No public exploit code or active exploitation has been identified; CVSS 5.1 reflects limited confidentiality and integrity impact despite remote network accessibility.

SSRF Casdoor
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Stored cross-site scripting (XSS) in Casdoor 2.356.0 via the dangerouslySetInnerHTML function allows authenticated remote attackers to inject malicious scripts through the formCss, formCssMobile, or formSideHtml parameters. An attacker with authenticated access can craft payloads that execute arbitrary JavaScript in the context of other users' browsers when they view affected forms. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, indicating no coordinated patch timeline.

XSS Casdoor
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Casdoor
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Cors Misconfiguration Casdoor
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Casdoor
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM POC This Month

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Casdoor
NVD GitHub Exploit-DB
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Casdoor
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Casdoor
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy