VDB
CVE-2026-9092
CVE-2026-9092
PUBLISHED
CVSS 9.1 CRITICAL
Reported by certcc · Published May 28, 2026
Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
Risk Scores
CVSS 3.1
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Casdoor | Casdoor | 0 |
| Casdoor | Casdoor | 0, 0 |
Timeline
- May 28, 2026 CVE Published
- May 29, 2026 EPSS Score
- May 30, 2026 EPSS Score
- May 31, 2026 EPSS Score
- May 31, 2026 Coalition ESS Score
- Jun 1, 2026 EPSS Score
- Jun 1, 2026 CVE Updated
- Jun 2, 2026 Security Advisory
- Jun 5, 2026 EPSS Score