Casdoor: Nine SAML & SSO Flaws Disclosed, Including Critical Auth Bypass (CVE-2026-9090)
Nine vulnerabilities disclosed together in Casdoor 2.362.0 and earlier, including a critical SAML authentication bypass (CVE-2026-9090, CVSS 9.1) and a cluster of SAML and token-exchange flaws enabling privilege escalation, replay attacks, and MFA bypass.
Key findings
- CVE-2026-9090 (CVSS 9.1) allows full auth bypass by supplying an arbitrary signing certificate in a SAMLResponse
- Four SAML flaws: no ACS verification, no time-bound enforcement, no replay protection, no audience restriction
- Two token-exchange bugs: revoked tokens accepted (CVE-2026-9097) and cross-org token exchange (CVE-2026-9094)
- CVE-2026-9092 enables account takeover via unverified email binding in social login
- CVE-2026-9091 bypasses MFA requirements in the social-login binding flow
- All nine vulnerabilities affect Casdoor 2.362.0 and earlier; no patch released as of disclosure
Nine security vulnerabilities were disclosed on May 28, 2026, affecting Casdoor versions 2.362.0 and earlier — the open-source identity and access management (IAM) platform. The batch spans a critical authentication bypass, multiple SAML implementation flaws, token-exchange weaknesses, and an MFA-bypass logic bug. Together they paint a picture of systemic trust-validation gaps in Casdoor's SAML service provider and OAuth token-exchange code paths.
**Critical: Arbitrary Certificate Authentication Bypass (CVE-2026-9090, CVSS 9.1)**
The most severe vulnerability, CVE-2026-9090, allows an attacker to bypass authentication entirely by supplying an arbitrary X.509 signing certificate. The buildSpCertificateStore function extracts the certificate directly from the incoming SAMLResponse rather than using the trusted, pre-configured Identity Provider certificate. This means any attacker who can craft a SAML assertion — no privileged network position required — can sign it with their own certificate and have Casdoor accept it as valid. The result is complete authentication bypass against any instance running an affected version.
**SAML Implementation Gaps (CVE-2026-9098, CVE-2026-9096, CVE-2026-9095, CVE-2026-9093)**
Four additional SAML-related vulnerabilities compound the risk. CVE-2026-9098 describes a missing SAML CSRF / ACS endpoint check: the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. This enables unsolicited response injection.
CVE-2026-9096 reveals that SAML assertion time bounds (NotOnOrAfter, NotBefore) are never enforced. The underlying gosaml2 library computes and reports time-validation results in assertionInfo.WarningInfo, but Casdoor's ParseSamlResponse() never reads that field. CVE-2026-9095 covers the absence of SAML replay protection — there is no assertion ID cache, no OneTimeUse condition enforcement, and no replay detection mechanism. CVE-2026-9093 addresses a missing AudienceRestriction validation: the buildSp function never sets AudienceURI on the gosaml2 SAMLServiceProvider struct, so assertions intended for other services are accepted.
**Token Exchange Vulnerabilities (CVE-2026-9097, CVE-2026-9094)**
Two flaws target Casdoor's JWT token-exchange mechanism. CVE-2026-9097 describes a failure to verify whether a JWT used for token exchange is still active — the GetTokenExchangeToken() function validates the JWT signature and parses claims but never queries the Token table to check if the subject token has been revoked or invalidated. CVE-2026-9094 enables cross-organization token exchange: the same function validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application, potentially leading to privilege escalation across tenant boundaries.
**Account Takeover and MFA Bypass (CVE-2026-9092, CVE-2026-9091)**
CVE-2026-9092 involves unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include an EmailVerified field. An attacker who can control the email claim in a social-login response can bind to an existing account.
CVE-2026-9091 (CVSS 5.3) is a logic flaw in the social-login binding flow that allows users to bypass configured MFA requirements. The binding-rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, meaning any user authenticating via this path is logged in without a second factor.
Response and Remediation
The Casdoor project has not yet released a patched version at the time of disclosure. Users running Casdoor 2.362.0 or earlier should monitor the Casdoor GitHub repository for a security release. In the interim, organizations should review their SAML identity provider configurations, restrict access to the /api/acs endpoint where possible, and consider disabling SAML-based authentication flows if they are not strictly required.
Why This Matters
Casdoor is deployed as a centralized authentication gateway for many organizations. The breadth of these nine flaws — spanning SAML trust validation, token lifecycle management, tenant isolation, and MFA enforcement — means that a single unpatched instance could be compromised through multiple independent attack paths. The critical severity of CVE-2026-9090 in particular makes this batch a priority for any team running Casdoor in production.