PT-2026-55354 · Go · Github.Com/Casdoor/Casdoor

Published

2026-05-28

·

Updated

2026-05-28

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

GHSA-3W4H-G9F5-J84P

Affected Products

Github.Com/Casdoor/Casdoor