CVE-2026-9093
Description
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Casdoor ≤2.362.0 SAML SP does not validate AudienceRestriction, allowing assertions for other SPs to be accepted, leading to authentication bypass.
Vulnerability
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation fails to validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2.SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows SAML assertions issued for any other service provider to be accepted by Casdoor [1].
Exploitation
An attacker who can craft or obtain a SAML assertion intended for a different service provider (e.g., by compromising another SP or using a malicious IdP) can present that assertion to Casdoor. No special network position is required beyond sending an HTTP request to Casdoor's SAML endpoint. No authentication is needed as the attack occurs during the assertion consumption step [1].
Impact
Successful exploitation allows an attacker to authenticate as any user for whom they have a valid SAML assertion from another SP. This completely bypasses Casdoor's authentication mechanism, leading to unauthorized access and potential privilege escalation depending on the victim user's permissions [1].
Mitigation
As of the publication date (2026-05-28), no patched version has been released. Users should monitor Casdoor for updates and apply them when available. No workaround is documented. The vulnerability affects all Casdoor versions 2.362.0 and earlier [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing AudienceRestriction validation in SAML SP implementation allows acceptance of assertions intended for other service providers."
Attack vector
An attacker who has obtained a valid SAML assertion issued for any other service provider (SP) can present that assertion to Casdoor's SAML endpoint. Because Casdoor never sets `AudienceURI` on its `SAMLServiceProvider` struct and never checks `WarningInfo.NotInAudience`, it will accept the assertion even though the assertion's intended audience is a different SP [ref_id=1]. This allows the attacker to authenticate as the assertion's subject without valid credentials for the Casdoor instance.
Affected code
The vulnerability is in the SAML service provider implementation in `object/saml_sp.go`. The `buildSp` function never sets `AudienceURI` on the `gosaml2` `SAMLServiceProvider` struct, and the `ParseSamlResponse()` function never inspects `WarningInfo.NotInAudience` [ref_id=1].
What the fix does
The advisory does not include a patch diff, but states that the fix requires Casdoor to set the `AudienceURI` field on the `SAMLServiceProvider` struct to the Casdoor SP's own entity ID, and to check `WarningInfo.NotInAudience` after calling `RetrieveAssertionInfo()` to reject assertions whose audience does not match [ref_id=1]. Without these changes, the SP cannot distinguish assertions intended for itself from those intended for other services.
Preconditions
- inputAttacker must possess a valid SAML assertion issued for any service provider other than Casdoor
- networkAttacker must be able to submit the SAML assertion to Casdoor's SAML assertion consumer endpoint
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.