CVE-2026-9090

Name of the Vulnerable Software and Affected Versions Casdoor versions prior to 2.362.1

Description An authentication bypass exists that allows attackers to impersonate users, bypass multifactor authentication, and gain persistent unauthorized access. The issue occurs because the buildSpCertificateStore() function extracts the X.509 certificate directly from the incoming SAMLResponse instead of utilizing the trusted pre-configured Identity Provider certificate. This allows an attacker to forge assertions signed with a key under their control. Additionally, flaws in account binding and token exchange mechanisms enable further authentication bypass and privilege escalation.

Recommendations Update to a patched version. Review authentication logs for suspicious activities related to SAML responses or unexpected account access.