VDB
CVE-2026-9095
CVE-2026-9095
PUBLISHED
CVSS 8.1 HIGH
Reported by certcc · Published May 28, 2026
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
Risk Scores
CVSS 3.1
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Casdoor | Casdoor | 0 |
| Casdoor | Casdoor | 0 |
Timeline
- May 28, 2026 CVE Published
- May 28, 2026 CVE Updated
- May 29, 2026 EPSS Score
- May 30, 2026 EPSS Score
- May 31, 2026 EPSS Score
- May 31, 2026 Coalition ESS Score
- Jun 1, 2026 EPSS Score
- Jun 2, 2026 Security Advisory
- Jun 5, 2026 EPSS Score