Nine SAML & SSO Flaws Disclosed in Casdoor, Including Critical Auth Bypass (CVE-2026-9090)
Nine vulnerabilities, including a critical SAML authentication bypass (CVE-2026-9090, CVSS 9.1), were disclosed in Casdoor 2.362.0 and earlier, with no patch yet available.
Nine security vulnerabilities were disclosed on May 28, 2026, affecting Casdoor versions 2.362.0 and earlier — the open-source identity and access management (IAM) platform. The batch spans a critical authentication bypass, multiple SAML implementation flaws, token-exchange weaknesses, and an MFA-bypass logic bug. Together they paint a picture of systemic trust-validation gaps in Casdoor's SAML service provider and OAuth token-exchange code paths.
The most severe vulnerability, CVE-2026-9090 (CVSS 9.1), allows an attacker to bypass authentication entirely by supplying an arbitrary X.509 signing certificate. The buildSpCertificateStore function extracts the certificate directly from the incoming SAMLResponse rather than using the trusted, pre-configured Identity Provider certificate. This means any attacker who can craft a SAML assertion — no privileged network position required — can sign it with their own certificate and have Casdoor accept it as valid. The result is complete authentication bypass against any instance running an affected version.
Four additional SAML-related vulnerabilities compound the risk. CVE-2026-9098 describes a missing SAML CSRF / ACS endpoint check: the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. This enables unsolicited response injection. CVE-2026-9096 reveals that SAML assertion time bounds (NotOnOrAfter, NotBefore) are never enforced. The underlying gosaml2 library computes and reports time-validation results in assertionInfo.WarningInfo, but Casdoor's ParseSamlResponse() never reads that field. CVE-2026-9095 covers the absence of SAML replay protection — there is no assertion ID cache, no OneTimeUse condition enforcement, and no replay detection mechanism. CVE-2026-9093 addresses a missing AudienceRestriction validation: the buildSp function never sets AudienceURI on the gosaml2 SAMLServiceProvider struct, so assertions intended for other services are accepted.
Two flaws target Casdoor's JWT token-exchange mechanism. CVE-2026-9097 describes a failure to verify whether a JWT used for token exchange is still active — the GetTokenExchangeToken() function validates the JWT signature and parses claims but never queries the Token table to check if the subject token has been revoked or invalidated. CVE-2026-9094 enables cross-organization token exchange: the same function validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application, potentially leading to privilege escalation across tenant boundaries.
CVE-2026-9092 involves unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include an EmailVerified field. An attacker who can control the email claim in a social-login response can bind to an existing account. CVE-2026-9091 (CVSS 5.3) is a logic flaw in the social-login binding flow that allows users to bypass configured MFA requirements. The binding-rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, meaning any user authenticating via this path is logged in without a second factor.
The Casdoor project has not yet released a patched version at the time of disclosure. Users running Casdoor 2.362.0 or earlier should monitor the Casdoor GitHub repository for a security release. In the interim, organizations should review their SAML identity provider configurations, restrict access to the /api/acs endpoint where possible, and consider disabling SAML-based authentication flows if they are not strictly required.
Casdoor is deployed as a centralized authentication gateway for many organizations. The breadth of these nine flaws — spanning SAML trust validation, token lifecycle management, tenant isolation, and MFA enforcement — means that a single unpatched instance could be compromised through multiple independent attack paths. The critical severity of CVE-2026-9090 in particular makes this batch a priority for any team running Casdoor in production.