{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/780781#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nCasdoor versions 2.362.0 and earlier contain several identity and access management vulnerabilities that enable broad authentication bypass and privilege escalation. These flaws relate to Casdoor’s Security Assertion Markup Language (SAML) processing, account binding, and token exchange mechanisms. An attacker able to interact with Casdoor’s authentication interface may impersonate users, bypass multifactor authentication (MFA), forge and replay assertions, and achieve persistent unauthorized access.  \r\n\r\n### Description\r\nCasdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services. It is designed to centralize and streamline access control, allowing organizations to manage user identities and permissions across multiple applications and environments.\r\n\r\n**CVE-2026-9090**\r\nCasdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The `buildSpCertificateStore` function extracts the X.509 certificate directly from the incoming `SAMLResponse` instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key.\r\n\r\n**CVE-2026-9091**\r\nA logic flaw in Casdoor's social‑login binding flow allows users to bypass configured MFA requirements. The binding‑rule code path in `controllers/auth.go` calls `HandleLoggedIn` directly without invoking `checkMfaEnable`. Any user authenticating via this path is logged in without MFA enforcement.\r\n\r\n**CVE-2026-9092**\r\nCasdoor contains a vulnerability involving unverified email binding that may enable account takeover. The `getExistUserByBindingRule` function matches users by email address without checking the `email_verified` claim returned from upstream providers, and the `idp.UserInfo` struct does not include a `EmailVerified` field. Therefore, an attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.\r\n\r\n**CVE-2026-9093**\r\nCasdoor's SAML service provider implementation does not validate the `AudienceRestriction` element in SAML assertions. Casdoor never sets the `AudienceURI` field to specify which service provider the assertion is intended for, and does not check for audience mismatch warnings alerted by `WarningInfo.NotInAudience`. As a result, Casdoor may improperly accept assertions that were issued for a different service provider. \r\n\r\n**CVE-2026-9094**\r\nCasdoor contains a vulnerability that enables cross-organization token exchange. The `GetTokenExchangeToken` function in `object/token_oauth.go` validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.\r\n\r\n**CVE-2026-9095**\r\nCasdoor maps SAML assertions to user sessions without replay protection. The `ParseSamlResponse()` function in `object/saml_sp.go` calls `sp.RetrieveAssertionInfo()` and immediately maps the result to a user session. There is no assertion ID cache, `OneTimeUse` condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.\r\n\r\n**CVE-2026-9096**\r\nCasdoor does not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including `NotOnOrAfter` and `NotBefore`, in the `assertionInfo.WarningInfo` field. However, `ParseSamlResponse()` never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.\r\n\r\n**CVE-2026-9097**\r\nCasdoor does not verify that a JWT used for token exchange is still active. The `GetTokenExchangeToken()` function in `object/token_oauth.go` validates the JWT signature and parses its claims, but never queries the `Token` table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.\r\n\r\n**CVE-2026-9098**\r\nThe SAML callback handler in `controllers/auth.go` accepts any well-formed `SAMLResponse` sent to `/api/acs` without verifying that it corresponds to an `AuthnRequest` previously issued by Casdoor. Additionally, if an administrator disables or deletes an identity provider (IdP) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.\r\n\r\n### Impact\r\nExploitation of these vulnerabilities can allow attackers to impersonate users, bypass authentication controls, and escalate privileges across Casdoor deployments. \r\n\r\n**CVE‑2026‑9090, CVE‑2026‑9093, CVE‑2026‑9095, CVE‑2026‑9096, CVE‑2026‑9098:**\r\nMultiple flaws in SAML processing allow assertion forgery or replay, misuse of assertions across sessions, and the processing of expired or unsolicited SAML responses. Because certificate trust is not enforced, time bounds and audience restrictions are ignored, and responses are not correlated to prior `AuthnRequests`, attackers can submit malicious or previously-captured assertions to obtain authenticated sessions for arbitrary users, including administrators.\r\n\r\n**CVE‑2026‑9091, CVE‑2026‑9092:**\r\nWeaknesses in MFA protection and binding logic further contribute to the risk of account compromise, enabling attackers to bypass MFA and potentially take over other accounts via unverified email claims. An attacker can exploit these flaws to gain persistent unauthorized access by bypassing configured authentication requirements or security controls.\r\n\r\n **CVE‑2026‑9094, CVE‑2026‑9097:**\r\nThe discovered token-exchange flaws enable cross‑organization privilege escalation and prevent administrators from reliably revoking tokens. Because user‑organization membership is not validated and token revocation status is not checked, compromised or malicious tokens may be exchanged for elevated privileges in other organizations, and administrators cannot reliably terminate active sessions.\r\n\r\n### Solution\r\nUnfortunately, we were unable to reach the Casdoor team to coordinate this vulnerability, and a patch is not yet available. Users are advised to implement stricter identity governance controls and utilize external validation tools to better enforce application boundaries. Restrict identity provider (IdP) usage only to trusted providers, reinforce high-privilege accounts with additional authentication paths such as downstream MFA, and monitor logs for any unusual SAML or token activity to reduce the exploitability of these issues. \r\n\r\n### Acknowledgements\r\nWe extend our thanks to Zixu (Jason) Zhou (University of Toronto, PhD student), David Lie (University of Toronto, Professor), Ilya Grishchenko (University of Toronto, Postdoc), and Xiangyu Guo (University of Toronto, PhD student) for researching and reporting these vulnerabilities. This document was written by Molly Jaconski.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/780781"}],"title":"Casdoor contains multiple authentication bypass and access management vulnerabilities","tracking":{"current_release_date":"2026-05-28T16:13:01+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.41"}},"id":"VU#780781","initial_release_date":"2026-05-28 16:13:01.424156+00:00","revision_history":[{"date":"2026-05-28T16:13:01+00:00","number":"1.20260528161301.1","summary":"Released on 2026-05-28T16:13:01+00:00"}],"status":"final","version":"1.20260528161301.1"}},"vulnerabilities":[{"title":"Casdoor versions 2.","notes":[{"category":"summary","text":"Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement."}],"cve":"CVE-2026-9091","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]},{"title":"Casdoor versions 2.","notes":[{"category":"summary","text":"Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address."}],"cve":"CVE-2026-9092","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]},{"title":"In Casdoor versions 2.","notes":[{"category":"summary","text":"In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an Identity Provider after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access."}],"cve":"CVE-2026-9098","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]},{"title":"In Casdoor versions 2.","notes":[{"category":"summary","text":"In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor."}],"cve":"CVE-2026-9093","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]},{"title":"Casdoor versions 2.","notes":[{"category":"summary","text":"Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued."}],"cve":"CVE-2026-9096","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]},{"title":"Casdoor versions 2.","notes":[{"category":"summary","text":"Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials."}],"cve":"CVE-2026-9095","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]},{"title":"Casdoor versions 2.","notes":[{"category":"summary","text":"Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key."}],"cve":"CVE-2026-9090","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]},{"title":"Casdoor versions 2.","notes":[{"category":"summary","text":"Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens."}],"cve":"CVE-2026-9097","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]},{"title":"Casdoor versions 2.","notes":[{"category":"summary","text":"Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries."}],"cve":"CVE-2026-9094","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#780781"}]}],"product_tree":{"branches":[]}}