VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-9096

CVE-2026-9096

Description

Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Casdoor ≤ 2.362.0 silently discards SAML assertion time bounds, allowing forged or expired assertions to create valid sessions.

Vulnerability

Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The underlying gosaml2 library computes all time validations (NotOnOrAfter and NotBefore) and reports results in the assertionInfo.WarningInfo field. However, ParseSamlResponse() in Casdoor never reads this field, meaning time-bound checks are performed by the library but then silently discarded before a user session is issued [1].

Exploitation

An attacker who can craft or obtain a SAML assertion that is expired or has an invalid time window can submit it to Casdoor's SAML endpoint. Because the time-validation results are never checked by the application, the assertion is accepted and a session is created even if the assertion is outside its intended validity period [1]. No additional authentication or user interaction beyond submitting the malformed assertion is required.

Impact

Successful exploitation allows an attacker to use a SAML assertion that has expired or has not yet become valid to authenticate as the target user. This effectively bypasses the time-based security guarantees of the SAML protocol, leading to unauthorized access to the victim's account and all resources tied to that identity [1].

Mitigation

As of the publication date (2026-05-28), no fixed version of Casdoor is available for this vulnerability. Users should monitor Casdoor releases and apply an update once a patched version (expected to read and enforce WarningInfo from gosaml2) is provided. No workaround is known [1].

References
  1. CERT/CC Vulnerability Note VU#780781

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Casdoor/Casdoorinferred2 versions
    <=2.362.0+ 1 more
    • (no CPE)range: <=2.362.0
    • (no CPE)range: <=2.362.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"ParseSamlResponse() discards the gosaml2 library's time-bound validation results by never reading the WarningInfo field."

Attack vector

An attacker who has captured a previously valid SAML assertion (e.g., via network interception or by controlling an upstream IdP) can replay that assertion after its NotOnOrAfter or NotBefore time window has expired. Because `ParseSamlResponse()` ignores the `WarningInfo` field where the gosaml2 library reports time-bound violations, Casdoor accepts the expired assertion and issues an authenticated session for the assertion's subject [ref_id=1]. No additional authentication or MFA is required.

Affected code

The vulnerability is in `ParseSamlResponse()` in `object/saml_sp.go`. This function calls `sp.RetrieveAssertionInfo()` from the gosaml2 library, which computes time-validation results (NotOnOrAfter, NotBefore) and stores them in the `assertionInfo.WarningInfo` field. However, `ParseSamlResponse()` never reads `WarningInfo`, so all time-bound violations are silently discarded [ref_id=1].

What the fix does

The advisory does not include a patch diff, but the remediation is clear: `ParseSamlResponse()` must inspect `assertionInfo.WarningInfo` after calling `sp.RetrieveAssertionInfo()` and reject assertions whose `WarningInfo` indicates that the NotOnOrAfter or NotBefore time constraints have been violated [ref_id=1]. Without this check, the gosaml2 library's time-validation logic is computed but its results are never acted upon.

Preconditions

  • inputAttacker must possess a SAML assertion that was valid at some point but has since expired (NotOnOrAfter passed) or is not yet valid (NotBefore not reached).
  • configThe target Casdoor instance must have SAML SP functionality enabled and configured with an upstream IdP.
  • networkAttacker must be able to deliver the SAML assertion to the Casdoor /api/acs endpoint.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.