Casdoor versions 2.362.0 and earlier do not enforce the validity window of SAML assertions. The gosaml2 library calculates the NotBefore and NotOnOrAfter bounds, but Casdoor never consults the warning field that holds those results, effectively discarding the time checks before a user session is issued. Based on the description, it is inferred that an attacker could send a SAML assertion that is already expired or not yet valid to bypass these checks, enabling unauthorized authentication. The weakness stems from a missing validation step in the authentication flow and can be classified as a broken authentication issue, potentially allowing credential replay or session hijacking. The vulnerability directly impacts the authentication mechanism, compromising confidentiality, integrity, and availability of user sessions.

Casdoor publisher Casdoor, specifically the Casdoor application itself. Versions up to and including 2.362.0 are affected; any release newer than 2.362.0 should be considered safe.

The vulnerability is a medium‑to‑high severity authentication flaw, as reflected by a CVSS score of 7.5. The EPSS score of < 1% indicates a low likelihood of exploitation in the wild, and no public exploits have been recorded. The likely attack vector is a remote SAML assertion injection, which an attacker can supply over the network to the authentication endpoint. Because the time bounds are silently discarded, an attacker could potentially replay expired credentials or use future‑dated assertions, creating a real risk of unauthorized access. The flaw is independent of network or local privilege requirements, making it relatively easy to exploit once an SAML assertion is in hand.