216.73.216.170

CVE-2026-9098

· Published 28/05/2026 17:16 · Modified 28/05/2026 18:00

Labels: CVE-2026-9098 2026-05-28CVE-2026-9098[email protected]

Essential information

Published
28/05/2026 17:16
Modified
28/05/2026 18:00
Author
Creator
CISA KEV
No
CWE

Description

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
casdoor / casdoor cpe:2.3:a:casdoor:casdoor:2.362:*:*:*:*:*:*:*

References