High severity8.1NVD Advisory· Published May 28, 2026· Updated May 28, 2026
CVE-2026-9095
CVE-2026-9095
Description
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1News mentions
1- Casdoor: Nine SAML & SSO Flaws Disclosed, Including Critical Auth Bypass (CVE-2026-9090)Vypr Intelligence · May 28, 2026