VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-9092

CVE-2026-9092

Description

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Casdoor ≤2.362.0 fails to verify email_verified claim from upstream providers, allowing account takeover via unverified email binding.

Vulnerability

Casdoor versions 2.362.0 and earlier contain a vulnerability in the account binding mechanism. The getExistUserByBindingRule function matches users by email address without verifying the email_verified claim from upstream identity providers. The idp.UserInfo struct does not include an EmailVerified field, so the system cannot distinguish between verified and unverified email claims. This allows an attacker to bind an unverified email from a provider to an existing Casdoor account that uses the same email address. [1]

Exploitation

An attacker must be able to authenticate via an upstream identity provider that returns an email claim without verification. The attacker supplies an unverified email claim that matches the email of a target Casdoor user. The getExistUserByBindingRule function then binds the attacker's session to that user's account without requiring email verification. No additional authentication or user interaction is needed beyond the attacker's ability to control the email claim from the upstream provider. [1]

Impact

Successful exploitation enables account takeover. The attacker gains full access to the victim's Casdoor account, including any associated applications and permissions. This can lead to unauthorized access to sensitive data, privilege escalation, and further compromise of systems relying on Casdoor for authentication. [1]

Mitigation

As of the publication date (2026-05-28), no fixed version has been released. Users should monitor Casdoor releases for a patch addressing this issue. In the meantime, administrators should review account binding configurations and consider restricting upstream providers that do not enforce email verification. The vulnerability is tracked in CERT/CC VU#780781. [1]

References
  1. CERT/CC Vulnerability Note VU#780781

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Casdoor/Casdoorinferred2 versions
    <=2.362.0+ 1 more
    • (no CPE)range: <=2.362.0
    • (no CPE)range: <=2.362.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing email_verified check in account binding allows unverified email claims to match existing accounts."

Attack vector

An attacker who can authenticate via an upstream identity provider (e.g., a social login provider) can supply an unverified email claim that matches the email address of a target Casdoor account. Because `getExistUserByBindingRule` matches users solely on the email address without checking whether the upstream provider verified ownership of that email, the attacker's session is bound to the victim's account. This enables account takeover without needing the victim's password or any additional authentication [ref_id=1].

Affected code

The vulnerability resides in the `getExistUserByBindingRule` function, which matches users by email address without verifying the `email_verified` claim from upstream identity providers. The `idp.UserInfo` struct does not include an `EmailVerified` field, so the code path has no mechanism to distinguish verified from unverified email claims [ref_id=1].

What the fix does

The advisory does not provide a patch or specific remediation code. To close the vulnerability, the `idp.UserInfo` struct must be extended to include an `EmailVerified` field, and the `getExistUserByBindingRule` function must reject email matches when the upstream provider has not verified the email address. Without this check, any unverified email claim can be used to bind to an existing account [ref_id=1].

Preconditions

  • inputThe upstream identity provider must return an email claim without setting an email_verified flag (or must allow the attacker to control the email claim).
  • configA target Casdoor account must exist with the same email address as the unverified claim.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.