Description
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
Published: 2026-05-28
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In affected Casdoor releases, the /api/acs endpoint accepts any well‑formed SAMLResponse without ensuring it is tied to an AuthnRequest the system previously issued. The handler also continues to process responses even after an Identity Provider has been disabled or removed, using a snapshot of the provider taken at request start. Consequently, an attacker who controls a registered IdP can send unsolicited or replayed responses, and Casdoor will create a session for the attacker, allowing persistent unauthorized access to the Casdoor instance.

Affected Systems

Casdoor authentication service versions 2.362.0 and earlier are impacted. Systems that integrate Casdoor with SAML should verify the current version and ensure no older releases are deployed.

Risk and Exploitability

With a CVSS score of 9.1, the vulnerability is classified as high severity, while an EPSS score of <1% suggests a very low but nonzero probability of exploitation, and it is not listed in the CISA KEV catalog. The likely attack vector is remote delivery of a well‑formed SAMLResponse to /api/acs by an attacker who controls a registered IdP; the absence of request‑link verification allows the attacker to send unsolicited or replayed responses and obtain a persistent session, without needing privileged system access.

Generated by OpenCVE AI on June 3, 2026 at 04:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a newer Casdoor release that includes validation of AuthnRequest identifiers before accepting SAMLResponse
  • If an immediate upgrade is not possible, restrict access to /api/acs to the IP ranges of known IdPs and audit IdP changes to prevent disabling during active sessions
  • Configure an intermediary that verifies the SAML response signature chain and checks for an expected relay state, and monitor for anomalous SAML activity

Generated by OpenCVE AI on June 3, 2026 at 04:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.cert.org/vuls/id/780781 cve-icon cve-icon
History

Wed, 03 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-640

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Casdoor
Casdoor casdoor
Vendors & Products Casdoor
Casdoor casdoor

Thu, 28 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-640

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
Title CVE-2026-9098
References

Subscriptions

Casdoor Casdoor
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-02T16:43:43.567Z

Reserved: 2026-05-20T15:05:20.584Z

Link: CVE-2026-9098

cve-icon Vulnrichment

Updated: 2026-06-02T15:50:44.136Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T17:16:34.963

Modified: 2026-06-02T17:16:39.180

Link: CVE-2026-9098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:45:25Z

Weaknesses