惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
宝玉的分享
宝玉的分享
酷 壳 – CoolShell
酷 壳 – CoolShell
T
The Exploit Database - CXSecurity.com
Help Net Security
Help Net Security
腾讯CDC
Project Zero
Project Zero
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tailwind CSS Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Darknet – Hacking Tools, Hacker News & Cyber Security
L
LINUX DO - 最新话题
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Threatpost
N
News | PayPal Newsroom
C
Cybersecurity and Infrastructure Security Agency CISA
Hacker News - Newest:
Hacker News - Newest: "LLM"
S
SegmentFault 最新的问题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Proofpoint News Feed
A
Arctic Wolf
B
Blog RSS Feed
Forbes - Security
Forbes - Security
P
Privacy & Cybersecurity Law Blog
Attack and Defense Labs
Attack and Defense Labs
V2EX - 技术
V2EX - 技术
P
Proofpoint News Feed
I
Intezer
Application and Cybersecurity Blog
Application and Cybersecurity Blog
阮一峰的网络日志
阮一峰的网络日志
aimingoo的专栏
aimingoo的专栏
T
Tenable Blog
MyScale Blog
MyScale Blog
U
Unit 42
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
WordPress大学
WordPress大学
W
WeLiveSecurity
D
DataBreaches.Net
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
有赞技术团队
有赞技术团队
Martin Fowler
Martin Fowler
罗磊的独立博客
The Last Watchdog
The Last Watchdog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Vulnerabilities – Threatpost
美团技术团队
Microsoft Security Blog
Microsoft Security Blog

CERT Recently Published Vulnerability Notes

CERT/CC Vulnerability Note VU#326070 CERT/CC Vulnerability Note VU#529388 CERT/CC Vulnerability Note VU#725167 VU#564823: GNU Wget enables SSRF via unvalidated FTP PASV IPs CERT/CC Vulnerability Note VU#152953 CERT/CC Vulnerability Note VU#734812 CERT/CC Vulnerability Note VU#849433 CERT/CC Vulnerability Note VU#213560 CERT/CC Vulnerability Note VU#828543 CERT/CC Vulnerability Note VU#639124 CERT/CC Vulnerability Note VU#936962 CERT/CC Vulnerability Note VU#226679 CERT/CC Vulnerability Note VU#457458 CERT/CC Vulnerability Note VU#380058 CERT/CC Vulnerability Note VU#862559 CERT/CC Vulnerability Note VU#616257 CERT/CC Vulnerability Note VU#595768 CERT/CC Vulnerability Note VU#615987 CERT/CC Vulnerability Note VU#265691 CERT/CC Vulnerability Note VU#873170 CERT/CC Vulnerability Note VU#158530 CERT/CC Vulnerability Note VU#980487 CERT/CC Vulnerability Note VU#777338 CERT/CC Vulnerability Note VU#471747 CERT/CC Vulnerability Note VU#937808 CERT/CC Vulnerability Note VU#260001 CERT/CC Vulnerability Note VU#748485 CERT/CC Vulnerability Note VU#518910 CERT/CC Vulnerability Note VU#890999 CERT/CC Vulnerability Note VU#414811 CERT/CC Vulnerability Note VU#915947 CERT/CC Vulnerability Note VU#536588 CERT/CC Vulnerability Note VU#951662 CERT/CC Vulnerability Note VU#655822 CERT/CC Vulnerability Note VU#221883 CERT/CC Vulnerability Note VU#330121 CERT/CC Vulnerability Note VU#577436 CERT/CC Vulnerability Note VU#624941 CERT/CC Vulnerability Note VU#907705 CERT/CC Vulnerability Note VU#665416 CERT/CC Vulnerability Note VU#976247 CERT/CC Vulnerability Note VU#772695 CERT/CC Vulnerability Note VU#431821 CERT/CC Vulnerability Note VU#504749 CERT/CC Vulnerability Note VU#458422 CERT/CC Vulnerability Note VU#481830
CERT/CC Vulnerability Note VU#780781
2026-05-29 · via CERT Recently Published Vulnerability Notes

Overview

Casdoor versions 2.362.0 and earlier contain several identity and access management vulnerabilities that enable broad authentication bypass and privilege escalation. These flaws relate to Casdoor’s Security Assertion Markup Language (SAML) processing, account binding, and token exchange mechanisms. An attacker able to interact with Casdoor’s authentication interface may impersonate users, bypass multifactor authentication (MFA), forge and replay assertions, and achieve persistent unauthorized access.

Description

Casdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services. It is designed to centralize and streamline access control, allowing organizations to manage user identities and permissions across multiple applications and environments.

CVE-2026-9090
Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key.

CVE-2026-9091
A logic flaw in Casdoor's social‑login binding flow allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.

CVE-2026-9092
Casdoor contains a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email address without checking the email_verified claim returned from upstream providers, and the idp.UserInfo struct does not include a EmailVerified field. Therefore, an attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.

CVE-2026-9093
Casdoor's SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. Casdoor never sets the AudienceURI field to specify which service provider the assertion is intended for, and does not check for audience mismatch warnings alerted by WarningInfo.NotInAudience. As a result, Casdoor may improperly accept assertions that were issued for a different service provider.

CVE-2026-9094
Casdoor contains a vulnerability that enables cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.

CVE-2026-9095
Casdoor maps SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.

CVE-2026-9096
Casdoor does not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.

CVE-2026-9097
Casdoor does not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.

CVE-2026-9098
The SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an identity provider (IdP) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.

Impact

Exploitation of these vulnerabilities can allow attackers to impersonate users, bypass authentication controls, and escalate privileges across Casdoor deployments.

CVE‑2026‑9090, CVE‑2026‑9093, CVE‑2026‑9095, CVE‑2026‑9096, CVE‑2026‑9098:
Multiple flaws in SAML processing allow assertion forgery or replay, misuse of assertions across sessions, and the processing of expired or unsolicited SAML responses. Because certificate trust is not enforced, time bounds and audience restrictions are ignored, and responses are not correlated to prior AuthnRequests, attackers can submit malicious or previously-captured assertions to obtain authenticated sessions for arbitrary users, including administrators.

CVE‑2026‑9091, CVE‑2026‑9092:
Weaknesses in MFA protection and binding logic further contribute to the risk of account compromise, enabling attackers to bypass MFA and potentially take over other accounts via unverified email claims. An attacker can exploit these flaws to gain persistent unauthorized access by bypassing configured authentication requirements or security controls.

CVE‑2026‑9094, CVE‑2026‑9097:
The discovered token-exchange flaws enable cross‑organization privilege escalation and prevent administrators from reliably revoking tokens. Because user‑organization membership is not validated and token revocation status is not checked, compromised or malicious tokens may be exchanged for elevated privileges in other organizations, and administrators cannot reliably terminate active sessions.

Solution

Unfortunately, we were unable to reach the Casdoor team to coordinate this vulnerability, and a patch is not yet available. Users are advised to implement stricter identity governance controls and utilize external validation tools to better enforce application boundaries. Restrict identity provider (IdP) usage only to trusted providers, reinforce high-privilege accounts with additional authentication paths such as downstream MFA, and monitor logs for any unusual SAML or token activity to reduce the exploitability of these issues.

Acknowledgements

We extend our thanks to Zixu (Jason) Zhou (University of Toronto, PhD student), David Lie (University of Toronto, Professor), Ilya Grishchenko (University of Toronto, Postdoc), and Xiangyu Guo (University of Toronto, PhD student) for researching and reporting these vulnerabilities. This document was written by Molly Jaconski.

Vendor Information

Filter by content: Additional information available

 Sort by:

CVE IDs: CVE-2026-9090 CVE-2026-9091 CVE-2026-9092 CVE-2026-9093 CVE-2026-9094 CVE-2026-9095 CVE-2026-9096 CVE-2026-9097 CVE-2026-9098
API URL: VINCE JSON | CSAF
Date Public: 2026-05-28
Date First Published: 2026-05-28
Date Last Updated: 2026-05-28 16:13 UTC
Document Revision: 1