216.73.216.170

CVE-2026-9093

· Published 28/05/2026 17:16 · Modified 28/05/2026 18:00

Labels: CVE-2026-9093 2026-05-28CVE-2026-9093[email protected]

Essential information

Published
28/05/2026 17:16
Modified
28/05/2026 18:00
Author
Creator
CISA KEV
No
CWE

Description

In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
casdoor / casdoor cpe:2.3:a:casdoor:casdoor:<2.362.0:*:*:*:*:*:*:*

References