CVE-2026-9095

Name of the Vulnerable Software and Affected Versions Casdoor versions prior to 2.362.1

Description Casdoor maps SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. The SAML Service Provider (SP) code path lacks an assertion ID cache, OneTimeUse condition enforcement, and replay detection. This allows an attacker to replay a previously captured SAML assertion to obtain an authenticated session for the assertion's subject, including administrator accounts, bypassing the need for passwords or multi-factor authentication (MFA) credentials.

Recommendations Update to a version later than 2.362.0.