VYPR
← All advisories
High severity8.1NVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-9095

CVE-2026-9095

Description

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Casdoor 2.362.0 and earlier allow replay of SAML assertions without any protection, enabling session impersonation including admin accounts.

Vulnerability

Casdoor versions 2.362.0 and earlier lack replay protection in SAML assertion processing. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and maps the result directly to a user session without maintaining an assertion ID cache, enforcing OneTimeUse conditions, or implementing any replay detection. This affects all SAML SP code paths in the affected versions.

Exploitation

An attacker who has previously captured a valid SAML assertion (e.g., by passive network eavesdropping or by obtaining a previously sent assertion) can resend the same assertion to Casdoor's SAML endpoint. The endpoint re-processes the assertion and creates a new authenticated session for the assertion's subject without checking whether the assertion has been used before. No user interaction is required for the replay; the attacker only needs network access to send the replayed assertion.

Impact

A successful replay allows the attacker to obtain an authenticated session as any user for whom a valid assertion can be captured, including administrators. This bypasses the need for the victim's password or MFA credentials. The attacker gains full access to the target user's resources and privileges within the Casdoor-delegated applications.

Mitigation

Casdoor has not released a fixed version as of the publication date (2026-05-28). Organizations using Casdoor 2.362.0 or earlier should apply the vendor's patch once available [1]. No workarounds are described in the advisory. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1]. Consider restricting network access to the SAML endpoint and monitoring for anomalous assertion usage.

References
  1. CERT/CC Vulnerability Note VU#780781

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Casdoor/Casdoorinferred2 versions
    <=2.362.0+ 1 more
    • (no CPE)range: <=2.362.0
    • (no CPE)range: <=2.362.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing assertion ID cache, OneTimeUse condition enforcement, and replay detection in the SAML SP code path allows replayed SAML assertions to be accepted as valid authentication."

Attack vector

An attacker who has captured a valid SAML assertion (e.g., by sniffing network traffic or compromising an endpoint that logs SAML responses) can resend that same assertion to Casdoor's SAML assertion consumer service endpoint. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session without checking whether the assertion ID has been seen before, whether a OneTimeUse condition is present, or whether the assertion has already been consumed [ref_id=1]. Because no replay detection exists anywhere in the SAML SP code path, the replayed assertion is treated as a fresh authentication, granting the attacker a session as the assertion's subject — including administrator accounts — without requiring the user's password or MFA credentials [ref_id=1].

Affected code

The vulnerable code is in the ParseSamlResponse() function in object/saml_sp.go [ref_id=1]. This function calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session without any assertion ID cache, OneTimeUse condition enforcement, or replay detection [ref_id=1]. The entire SAML SP code path lacks replay protection mechanisms.

What the fix does

The advisory does not provide a patch or remediation code. To close the vulnerability, Casdoor must implement replay protection in the SAML SP code path by caching assertion IDs (e.g., in a database or in-memory store with a TTL matching the assertion's validity window) and rejecting any assertion whose ID has already been processed [ref_id=1]. Additionally, the code should enforce the SAML OneTimeUse condition if present in the assertion, and should check WarningInfo fields for conditions that indicate the assertion should not be reused [ref_id=1].

Preconditions

  • networkAttacker must have captured a valid SAML assertion (e.g., via network interception, log access, or compromised intermediary)
  • inputThe captured assertion must still be within its validity time window (NotBefore/NotOnOrAfter) since Casdoor does not enforce time bounds either [ref_id=1, CVE-2026-9096]

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.