CVE-2026-9091
Description
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A logic flaw in Casdoor's social-login binding flow allows users to bypass MFA by directly calling HandleLoggedIn without MFA check.
Vulnerability
In Casdoor versions 2.362.0 and earlier, the social-login binding flow contains a logic flaw where the HandleLoggedIn function is called directly without invoking checkMfaEnable [1]. This occurs in controllers/auth.go in the binding-rule code path. Any user authenticating via this path is logged in without MFA enforcement, even if MFA is configured as a requirement.
Exploitation
An attacker needs only the ability to initiate a social-login binding request to a Casdoor instance. No additional privileges or user interaction beyond the normal binding flow are required. The attacker binds a social account to an existing user account, and the binding process bypasses the MFA check, resulting in a login session without MFA.
Impact
Successful exploitation allows the attacker to log in as the victim user without providing a second factor, thereby bypassing the intended MFA requirement. This undermines the security of accounts that rely on MFA, potentially leading to unauthorized access and privilege escalation depending on the user's role.
Mitigation
As of the publication date, no fixed version has been released. The vulnerability affects all Casdoor versions 2.362.0 and earlier. Users should monitor Casdoor releases for a patch and consider disabling social-login binding if not needed, or implement compensating controls such as network restrictions.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing MFA enforcement check in the social‑login binding code path — `HandleLoggedIn` is called without first invoking `checkMfaEnable`."
Attack vector
An attacker who can authenticate via a social‑login provider (e.g., GitHub, Google, or any OAuth/OIDC identity provider configured as a binding rule) will be logged in without any MFA challenge, even if the Casdoor administrator has configured MFA requirements for the application or organization. The attacker simply completes the social‑login binding flow normally; the code path never checks whether MFA is enabled for the user or the target resource [ref_id=1]. This bypasses the intended security control that MFA should enforce before granting a session.
Affected code
The vulnerability resides in the social‑login binding flow within `controllers/auth.go`. The binding‑rule code path calls `HandleLoggedIn` directly without first invoking `checkMfaEnable`, skipping MFA enforcement entirely [ref_id=1].
What the fix does
The advisory does not provide a patch diff or specific remediation code. The fix would require modifying the binding‑rule code path in `controllers/auth.go` to call `checkMfaEnable` before or as part of `HandleLoggedIn`, ensuring that MFA enforcement is applied uniformly regardless of the authentication flow [ref_id=1]. Until a patch is released, administrators should monitor for updates from the Casdoor project.
Preconditions
- configThe Casdoor instance must have MFA enforcement configured for the target application or organization.
- authThe attacker must be able to authenticate via a social-login provider that is configured as a binding rule in Casdoor.
- networkThe attacker must have network access to the Casdoor authentication interface.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.