CVE-2026-9091

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-9091

Affected Products

Casdoor

CVE-2026-9091

Related Identifiers

Affected Products

References · 2