PT-2026-44425 · Casdoor+1 · Casdoor+1
David Lie
+4
·
Published
2026-05-28
·
Updated
2026-07-07
·
CVE-2026-9096
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Casdoor versions prior to 2.363.0
Description
Casdoor fails to enforce SAML assertion time bounds. The
gosaml2 library calculates time-validation results, such as NotOnOrAfter and NotBefore, and reports them in the assertionInfo.WarningInfo field. However, the ParseSamlResponse() function does not read this field, causing the time bounds to be discarded before a user session is issued.Recommendations
Update to a version later than 2.362.0.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Casdoor
Gosaml2