CVE-2026-9097 - Vulnerability Details

Description

Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.

Published: 2026-05-28

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Casdoor versions up to 2.362.0 validate JSON Web Tokens for signature and claims but do not verify whether the token being exchanged has been revoked in the Token table. The GetTokenExchangeToken() function therefore allows an attacker who possesses a valid JWT to obtain a new token even after an administrator has revoked or invalidated the original token, enabling continued access after a session should have been terminated.

Affected Systems

The vulnerability applies to all releases of Casdoor by Casdoor through version 2.362.0 inclusive. Any deployment that uses the token exchange endpoint in those versions is susceptible, with no particular edition or component excluded.

Risk and Exploitability

The EPSS score of less than 1% indicates that the exploitation likelihood is low at present, yet the CVSS rating of 9.8 signals a critical severity if the vulnerability is exploited. The issue is not listed in the CISA KEV catalog, so no evidence of active exploitation is documented. Exploitation requires possessing a valid JWT and accessing the exposed token exchange endpoint; once the token is exchanged, the attacker can maintain authenticated access without triggering revocation checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Casdoor

affected

Version	Status	Constraints
`0`	affected	≤ 2.362.0

No data.

Vendor Product Confidence Versions

Casdoor

100%

Version	Status	Scheme	Platform
`[0,2.362.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Casdoor to a newer release that implements revocation verification in the token exchange process, addressing the authorization weakness.
If an immediate upgrade is not feasible, modify the token exchange endpoint to perform an explicit lookup of the subject token in the Token table and reject any that are marked revoked or deleted before issuing a new token.
As a temporary measure, disable the token exchange functionality until a patch or custom update is applied.

Generated by OpenCVE AI on June 3, 2026 at 04:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00365.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://kb.cert.org/vuls/id/780781

History

Wed, 03 Jun 2026 05:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Tue, 02 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-285

Tue, 02 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 29 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-285

Thu, 28 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284

Thu, 28 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-862

Thu, 28 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Casdoor Casdoor casdoor
Weaknesses		CWE-284 CWE-862
Vendors & Products		Casdoor Casdoor casdoor

Thu, 28 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.
Title		CVE-2026-9097
References		https://kb.cert.org/vuls/id/780781

Subscriptions

Casdoor Casdoor

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-05-28T16:29:06.752Z

Updated: 2026-06-02T16:43:52.777Z

Reserved: 2026-05-20T15:05:12.699Z

Link: CVE-2026-9097

Vulnrichment

Updated: 2026-06-02T15:50:00.643Z

NVD

Status : Deferred

Published: 2026-05-28T17:16:34.767

Modified: 2026-06-02T17:16:39.050

Link: CVE-2026-9097

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T04:45:25Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object