Description
A vulnerability was identified in Casdoor 2.356.0. Affected by this issue is some unknown functionality of the component OAuth Authorization Request Handler. Such manipulation of the argument redirect_uri leads to open redirect. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open redirect that can be leveraged for phishing or malicious site redirection
Action: Immediate Patch
AI Analysis

Impact

An attacker can manipulate the redirect_uri parameter sent to the OAuth Authorization Request Handler in Casdoor 2.356.0, causing the system to redirect users to arbitrary URLs. This open redirect flaw enables phishing campaigns or the delivery of malicious content by making victims trust the origin of the redirect. The vulnerability is not a direct code execution flaw but can subvert user trust and facilitate credential theft or malware delivery.

Affected Systems

Casdoor, specifically version 2.356.0, is affected by this flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity level. The EPSS score of less than 1% suggests low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. However, because the issue is exploitable remotely through crafted OAuth requests, the risk is present for any deployment still running the vulnerable Casdoor version.

Generated by OpenCVE AI on April 9, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Casdoor to a patched version that validates redirect_uri correctly.

Generated by OpenCVE AI on April 9, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:casbin:casdoor:2.356.0:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Casbin
Casbin casdoor
Vendors & Products Casbin
Casbin casdoor

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Casdoor 2.356.0. Affected by this issue is some unknown functionality of the component OAuth Authorization Request Handler. Such manipulation of the argument redirect_uri leads to open redirect. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Casdoor OAuth Authorization Request redirect
Weaknesses CWE-601
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Casbin Casdoor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T12:46:24.140Z

Reserved: 2026-04-03T07:25:54.694Z

Link: CVE-2026-5467

cve-icon Vulnrichment

Updated: 2026-04-03T12:46:14.471Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T12:16:19.593

Modified: 2026-04-09T01:00:46.647

Link: CVE-2026-5467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:17Z

Weaknesses