CVE-2026-9090
Description
Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Casdoor versions ≤2.362.0 allow authentication bypass by supplying an arbitrary signing certificate in SAMLResponse, enabling forged assertions.
Vulnerability
The vulnerability resides in the buildSpCertificateStore function, which extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate. This allows an attacker to supply an arbitrary signing certificate. Affected versions are Casdoor 2.362.0 and earlier [1].
Exploitation
An attacker with network access to Casdoor's authentication interface can craft a SAMLResponse containing an assertion signed with an attacker-controlled key and include that key's certificate in the response. The buildSpCertificateStore function will use the supplied certificate to verify the signature, thus accepting the forged assertion. No prior authentication or user interaction is required [1].
Impact
Successful exploitation enables the attacker to bypass authentication and impersonate any user, gaining unauthorized access to the Casdoor instance and any applications relying on it for authentication. This can lead to full compromise of the identity management system and downstream services [1].
Mitigation
As of the publication date (2026-05-28), no fixed version has been released. Users should monitor Casdoor for updates. No workaround is provided in the available reference [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key."
Attack vector
An attacker who can interact with Casdoor's SAML authentication interface crafts a SAMLResponse containing an X.509 certificate under their control and signs the assertion with the corresponding private key [ref_id=1]. Casdoor's buildSpCertificateStore function extracts the certificate from the incoming message rather than validating it against the trusted Identity Provider certificate, so the forged assertion is accepted [ref_id=1]. This allows the attacker to impersonate any user without possessing valid IdP credentials, bypassing authentication entirely [ref_id=1].
Affected code
The vulnerable function is buildSpCertificateStore, which processes SAMLResponse messages [ref_id=1]. The advisory does not specify the file path, but the function is part of Casdoor's SAML service provider implementation [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation requires modifying buildSpCertificateStore to reject any certificate that does not match the pre-configured trusted Identity Provider certificate [ref_id=1]. Instead of extracting the X.509 certificate from the incoming SAMLResponse, the function must use only the administrator-configured IdP certificate for signature verification [ref_id=1]. This ensures that an attacker cannot supply their own signing key to forge assertions.
Preconditions
- networkAttacker must be able to reach Casdoor's SAML authentication endpoint
- inputAttacker must possess an X.509 certificate and private key (self-generated)
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.