PT-2026-44427 · Casdoor · Casdoor

David Lie

+4

·

Published

2026-05-28

·

Updated

2026-07-07

·

CVE-2026-9098

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Casdoor versions prior to 2.362.1
Description The SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to the "/api/acs" endpoint without verifying if it corresponds to a previously issued AuthnRequest. Furthermore, if an administrator disables or deletes an Identity Provider (IdP) after a SAML flow has started, the handler continues to process the response using the provider snapshot from the start of the request. This allows an attacker controlling a registered upstream IdP to send unsolicited SAML responses or replay captured responses in different sessions or after a flow has ended, leading to unauthorized session issuance and persistent access.
Recommendations Update to a version later than 2.362.0.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9098
GHSA-MFVP-7P3V-X9MH
GO-2026-5898

Affected Products

Casdoor