VDB

GCVE-110-CERTCC-2026-780781

GCVE-110-CERTCC-2026-780781
Advisory Published
Vulnetix · Advisory published May 28, 2026
### Overview Casdoor versions 2.362.0 and earlier contain several identity and access management vulnerabilities that enable broad authentication bypass and privilege escalation. These flaws relate to Casdoor’s Security Assertion Markup Language (SAML) processing, account binding, and token exchange mechanisms. An attacker able to interact with Casdoor’s authentication interface may impersonate users, bypass multifactor authentication (MFA), forge and replay assertions, and achieve persistent unauthorized access. ### Description Casdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services. It is designed to centralize and streamline access control, allowing organizations to manage user identities and permissions across multiple applications and environments. **CVE-2026-9090** Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The `buildSpCertificateStore` function extracts the X.509 certificate directly from the incoming `SAMLResponse` instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key. **CVE-2026-9091** A logic flaw in Casdoor's social‑login binding flow allows users to bypass configured MFA requirements. The binding‑rule code path in `controllers/auth.go` calls `HandleLoggedIn` directly without invoking `checkMfaEnable`. Any user authenticating via this path is logged in without MFA enforcement. **CVE-2026-9092** Casdoor contains a vulnerability involving unverified email binding that may enable account takeover. The `getExistUserByBindingRule` function matches users by email address without checking the `email_verified` claim returned from upstream providers, and the `idp.UserInfo` struct does not include a `EmailVerified` field. Therefore, an attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address. **CVE-2026-9093** Casdoor's SAML service provider implementation does not validate the `AudienceRestriction` element in SAML assertions. Casdoor never sets the `AudienceURI` field to specify which service provider the assertion is intended for, and does not check for audience mismatch warnings alerted by `WarningInfo.NotInAudience`. As a result, Casdoor may improperly accept assertions that were issued for a different service provider. **CVE-2026-9094** Casdoor contains a vulnerability that enables cross-organization token exchange. The `GetTokenExchangeToken` function in `object/token_oauth.go` validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries. **CVE-2026-9095** Casdoor maps SAML assertions to user sessions without replay protection. The `ParseSamlResponse()` function in `object/saml_sp.go` calls `sp.RetrieveAssertionInfo()` and immediately maps the result to a user session. There is no assertion ID cache, `OneTimeUse` condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials. **CVE-2026-9096** Casdoor does not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including `NotOnOrAfter` and `NotBefore`, in the `assertionInfo.WarningInfo` field. However, `ParseSamlResponse()` never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued. **CVE-2026-9097** Casdoor does not verify that a JWT used for token exchange is still active. The `GetTokenExchangeToken()` function in `object/token_oauth.go` validates the JWT signature and parses its claims, but never queries the `Token` table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens. **CVE-2026-9098** The SAML callback handler in `controllers/auth.go` accepts any well-formed `SAMLResponse` sent to `/api/acs` without verifying that it corresponds to an `AuthnRequest` previously issued by Casdoor. Additionally, if an administrator disables or deletes an identity provider (IdP) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access. ### Impact Exploitation of these vulnerabilities can allow attackers to impersonate users, bypass authentication controls, and escalate privileges across Casdoor deployments. **CVE‑2026‑9090, CVE‑2026‑9093, CVE‑2026‑9095, CVE‑2026‑9096, CVE‑2026‑9098:** Multiple flaws in SAML processing allow assertion forgery or replay, misuse of assertions across sessions, and the processing of expired or unsolicited SAML responses. Because certificate trust is not enforced, time bounds and audience restrictions are ignored, and responses are not correlated to prior `AuthnRequests`, attackers can submit malicious or previously-captured assertions to obtain authenticated sessions for arbitrary users, including administrators. **CVE‑2026‑9091, CVE‑2026‑9092:** Weaknesses in MFA protection and binding logic further contribute to the risk of account compromise, enabling attackers to bypass MFA and potentially take over other accounts via unverified email claims. An attacker can exploit these flaws to gain persistent unauthorized access by bypassing configured authentication requirements or security controls. **CVE‑2026‑9094, CVE‑2026‑9097:** The discovered token-exchange flaws enable cross‑organization privilege escalation and prevent administrators from reliably revoking tokens. Because user‑organization membership is not validated and token revocation status is not checked, compromised or malicious tokens may be exchanged for elevated privileges in other organizations, and administrators cannot reliably terminate active sessions. ### Solution Unfortunately, we were unable to reach the Casdoor team to coordinate this vulnerability, and a patch is not yet available. Users are advised to implement stricter identity governance controls and utilize external validation tools to better enforce application boundaries. Restrict identity provider (IdP) usage only to trusted providers, reinforce high-privilege accounts with additional authentication paths such as downstream MFA, and monitor logs for any unusual SAML or token activity to reduce the exploitability of these issues. ### Acknowledgements We extend our thanks to Zixu (Jason) Zhou (University of Toronto, PhD student), David Lie (University of Toronto, Professor), Ilya Grishchenko (University of Toronto, Postdoc), and Xiangyu Guo (University of Toronto, PhD student) for researching and reporting these vulnerabilities. This document was written by Molly Jaconski.

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›