CVE-2026-9092 - Vulnerability Details

Description

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.

Published: 2026-05-28

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Casdoor versions 2.362.0 and earlier allow attackers to hijack user accounts by submitting email claims that have not been verified by the upstream identity provider. The missing email_verified check means the system trusts any provided email address, enabling an adversary to bind an unverified email to an existing account and assume its identity. This flaw constitutes an access‑control lapse that directly leads to full account takeover with the privileges of the compromised user.

Affected Systems

Casdoor Casdoor, releases 2.362.0 and earlier. The vulnerability is specific to the getExistUserByBindingRule function where email matching occurs without verifying the email_verified flag from upstream identity providers.

Risk and Exploitability

The flaw can be exploited remotely through the standard identity‑provider integration by supplying a crafted email claim. The CVSS score is 9.1 and the EPSS score is < 1%, indicating a severe vulnerability with a very low but nonzero likelihood of exploitation in environments with active upstream integrations. No patch or workaround is listed in KEV, but the issue remains severe as it allows full control over user accounts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Casdoor

affected

Version	Status	Constraints
`0`	affected	≤ 2.362.0

No data.

Vendor Product Confidence Versions

Casdoor

100%

Version	Status	Scheme	Platform
`[0,2.362.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Casdoor to a supported release newer than 2.362.0 where the email_verified claim is validated before binding.
Temporarily disable or reconfigure upstream identity providers to enforce email verification before sending claims to Casdoor.
Inspect account binding logs for unauthorized email associations and revoke any that appear suspicious.

Generated by OpenCVE AI on June 1, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00316.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://kb.cert.org/vuls/id/780781

History

Mon, 01 Jun 2026 23:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284 CWE-639

Mon, 01 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284 CWE-639

Mon, 01 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Thu, 28 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Casdoor Casdoor casdoor
Weaknesses		CWE-284 CWE-639
Vendors & Products		Casdoor Casdoor casdoor

Thu, 28 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
Title		CVE-2026-9092
References		https://kb.cert.org/vuls/id/780781

Subscriptions

Casdoor Casdoor

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-05-28T16:20:45.547Z

Updated: 2026-06-01T16:56:56.854Z

Reserved: 2026-05-20T15:04:14.204Z

Link: CVE-2026-9092

Vulnrichment

Updated: 2026-06-01T16:56:20.314Z

NVD

Status : Deferred

Published: 2026-05-28T17:16:34.083

Modified: 2026-06-01T19:16:55.387

Link: CVE-2026-9092

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T23:15:07Z

Weaknesses

CWE-284
Improper Access Control
CWE-639
Authorization Bypass Through User-Controlled Key

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object