CVE-2026-9094
Description
Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Casdoor 2.362.0 and earlier does not verify organization membership during token exchange, allowing cross-organization privilege escalation.
Vulnerability
Casdoor versions 2.362.0 and earlier contain a flaw in the GetTokenExchangeToken function in object/token_oauth.go. The function validates the JWT signature but does not verify that the token's user belongs to the same organization as the target application, enabling a cross-organization token exchange [1].
Exploitation
An attacker who can interact with Casdoor's authentication interface and obtain a valid JWT token from one organization can use that token with the token exchange endpoint to obtain a token for a different organization. No additional authentication or user interaction is required beyond possession of a valid token from the source organization [1].
Impact
Successful exploitation allows an attacker to escalate privileges across organizational boundaries. The attacker gains access to applications and resources in a target organization as if they were an authenticated user of that organization, potentially leading to information disclosure, data manipulation, or further compromise within the target organization [1].
Mitigation
As of the publication date, no fix has been released for this vulnerability. Users should upgrade to a patched version once it becomes available. Monitor vendor advisories and CERT/CC VU#780781 for updates. No workaround is currently documented [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing organization-membership check in GetTokenExchangeToken allows cross-organization token exchange.""
Attack vector
An attacker who possesses a valid JWT for a user in Organization A can present that token to the token-exchange endpoint for an application configured in Organization B [ref_id=1]. Because `GetTokenExchangeToken` only checks the JWT signature and does not verify organizational membership, the exchange succeeds, producing a token scoped to Organization B's application on behalf of the Organization A user [ref_id=1]. This enables privilege escalation across organizational boundaries — for example, a low-privilege user in one organization could obtain tokens for sensitive applications in another organization [ref_id=1].
Affected code
The vulnerable function is `GetTokenExchangeToken` in `object/token_oauth.go` [ref_id=1]. This function validates the JWT signature but does not verify that the token's user belongs to the same organization as the target application [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific remediation code [ref_id=1]. To close the vulnerability, the `GetTokenExchangeToken` function must be modified to compare the organization claim in the incoming JWT against the organization of the target application, and reject the exchange if they do not match [ref_id=1]. No official fix has been published as of the advisory's disclosure [ref_id=1].
Preconditions
- authThe attacker must possess a valid JWT for a user in any organization (e.g., Organization A).
- configThe target Casdoor instance must have at least two organizations configured with applications.
- networkThe attacker must be able to reach the token-exchange endpoint (e.g., /api/token-exchange).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.