Casdoor versions prior to 2.362.0 allow an attacker to bypass authentication by submitting a SAML response that contains an arbitrary X.509 signing certificate. The buildSpCertificateStore routine extracts the certificate directly from the incoming SAMLResponse instead of validating it against the trusted Identity Provider certificate configured in the system. Because of this, an attacker can forge signed assertions using a key of their own choosing, causing the application to accept the assertion as valid and log the attacker in with the asserted identity. This leads to unauthorized access and potential full compromise of the system.

The affected vendor is Casdoor, with the product name Casdoor. All releases of Casdoor up to and including version 2.362.0 are impacted. Users running any of these versions should verify whether they are using a newer build that addresses the issue.

The vulnerability provides remote authentication bypass via the SAML protocol. Although no public exploit code is indicated, the mechanism is straightforward to leverage from any network location that can reach the SAML endpoint, such as a corporate intranet. The EPSS score is <1%, indicating a very low but nonzero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The high CVSS score of 9.1 indicates severe risk. The likely attack vector is a crafted SAMLResponse sent to the Casdoor service, but the actual exploitation requires access to the SAML endpoint and a valid Identity Provider configuration.