CISA issues update on Casdoor authentication bypass flaws
Casdoor versions 2.362.0 and earlier have multiple access management vulnerabilities that can enable authentication bypass and privilege escalation, including user impersonation, MFA bypass, assertion forgery and replay, and persistent unauthorized access.
The issues cover several Casdoor Security Assertion Markup Language (SAML) processing and token exchange paths. CVE-2026-9090 describes an authentication bypass where the buildSpCertificateStore function extracts an X.509 certificate from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, enabling attacker-controlled signing keys. CVE-2026-9091 is a logic flaw in the social-login binding flow in controllers/auth.go where the binding-rule code path calls HandleLoggedIn directly without invoking checkMfaEnable, resulting in logged-in sessions without MFA enforcement. CVE-2026-9092 covers unverified email binding where getExistUserByBindingRule matches users by email address without checking email_verified from upstream providers, and idp.UserInfo lacks a EmailVerified field. CVE-2026-9093 is a SAML service provider audience validation gap where Casdoor does not validate AudienceRestriction and does not set AudienceURI; it also does not check for WarningInfo.NotInAudience warnings. CVE-2026-9094 enables cross-organization token exchange because GetTokenExchangeToken in object/token_oauth.go validates JWT signatures but does not verify that the token user belongs to the same organization as the target application. CVE-2026-9095 maps SAML assertions to sessions without replay protection because ParseSamlResponse() in object/saml_sp.go retrieves assertion info and immediately maps it to a user session without assertion ID caching, OneTimeUse enforcement, or replay detection. CVE-2026-9096 does not enforce SAML assertion time bounds because ParseSamlResponse() never reads assertionInfo.WarningInfo where NotOnOrAfter and NotBefore results are reported by the gosaml2 library. CVE-2026-9097 does not verify that a JWT used for token exchange is still active because GetTokenExchangeToken does not query the Token table to confirm whether the subject token is revoked or invalidated, so the revocation check is absent. CVE-2026-9098 describes a SAML callback handler in controllers/auth.go that accepts any well-formed SAMLResponse sent to /api/acs without verifying it corresponds to an AuthnRequest previously issued by Casdoor; it also still processes responses using the provider snapshot loaded at the start of the request even if an administrator disables or deletes the IdP, enabling unsolicited or replayed responses that still result in session issuance.
Exploitation can allow attackers to impersonate users, bypass authentication controls, and escalate privileges across Casdoor deployments. Multiple SAML-processing flaws permit assertion forgery or replay, misuse of assertions across sessions, and acceptance of expired or unsolicited SAML responses; certificate trust is not enforced, time bounds and audience restrictions are ignored, and responses are not correlated to prior AuthnRequests, which allows malicious or previously captured assertions to obtain authenticated sessions for arbitrary users, including administrators. Weaknesses in MFA protection and binding logic further contribute to account compromise by enabling MFA bypass and potential account takeover via unverified email claims, supporting persistent unauthorized access through bypassed authentication requirements or security controls. Token-exchange flaws enable cross-organization privilege escalation and prevent administrators from reliably revoking tokens, because user-organization membership is not validated and token revocation status is not checked, allowing compromised or malicious tokens to be exchanged for elevated privileges in other organizations and preventing administrators from reliably terminating active sessions.
A patch was not yet available, and reachability to coordinate with the Casdoor team was not possible at the time of the advisory. Guidance provided to users emphasized implementing stricter identity governance controls and using external validation tools to better enforce application boundaries, restricting identity provider (IdP) usage to trusted providers, reinforcing high-privilege accounts with additional authentication paths such as downstream MFA, and monitoring logs for unusual SAML or token activity to reduce exploitability.
The advisory also includes acknowledgements to Zixu (Jason) Zhou, David Lie, Ilya Grishchenko, and Xiangyu Guo for researching and reporting the vulnerabilities, and states that the document was written by Molly Jaconski.