CVE-2026-9098
Description
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Casdoor <=2.362.0 accepts unsolicited or replayed SAML responses without verifying them against an issued AuthnRequest, allowing persistent unauthorized access via a malicious IdP.
Vulnerability
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request [1]. This means no cryptographic or session-level binding is enforced between the outgoing request and the incoming assertion.
Exploitation
An attacker who controls a registered upstream IdP can send unsolicited SAML responses to the /api/acs endpoint. Alternatively, a valid SAMLResponse captured from a legitimate flow can be replayed in a different session or after the original flow has ended. No user interaction beyond the initial capturing of a response is needed for the replay scenario. The attacker does not need to authenticate to Casdoor directly; they only need the ability to deliver a crafted or captured SAMLResponse to the callback endpoint [1].
Impact
Successful exploitation causes Casdoor to accept the forged or replayed SAML assertion and issue a valid session for the attacker. This grants persistent unauthorized access to the application as the targeted user, potentially including administrative privileges. The confidentiality, integrity, and availability of the system may all be compromised depending on the privileges of the impersonated account [1].
Mitigation
The vulnerability affects Casdoor 2.362.0 and earlier. No fixed version has been announced in the available references [1]. Organizations are advised to monitor the Casdoor project for a patched release. As a workaround, administrators can restrict network access to the /api/acs endpoint to only trusted IdP IP addresses, though this does not fully prevent exploitation if the attacker controls the IdP. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing verification that a SAMLResponse corresponds to a prior AuthnRequest issued by Casdoor, and lack of IdP state validation after the SAML flow starts."
Attack vector
An attacker who controls a registered upstream IdP sends an unsolicited SAMLResponse to the /api/acs endpoint, or replays a previously captured legitimate SAMLResponse in a different session or after the original flow has ended [ref_id=1]. Because Casdoor never verifies that the response corresponds to an AuthnRequest it previously issued, and because the handler uses a provider snapshot loaded at request start even if the IdP has been disabled or deleted, the response is accepted and a session is issued [ref_id=1]. This enables persistent unauthorized access without the victim's password or MFA credentials.
Affected code
The SAML callback handler in controllers/auth.go processes SAMLResponses sent to the /api/acs endpoint [ref_id=1]. The handler accepts any well-formed response without verifying it corresponds to a prior AuthnRequest, and uses a provider snapshot loaded at request start without checking whether the IdP has since been disabled or deleted [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. The recommended fix is to enforce correlation between incoming SAMLResponses and previously issued AuthnRequests, and to validate that the IdP is still active at the time the response is processed rather than relying on a snapshot taken at request start [ref_id=1]. Without these changes, Casdoor remains vulnerable to unsolicited and replayed SAML assertions.
Preconditions
- configA SAML Identity Provider (IdP) must be registered in Casdoor and controlled by the attacker.
- networkThe attacker must be able to send HTTP POST requests to the /api/acs endpoint of the Casdoor instance.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.