CVE-2026-9091

MEDIUM 5.3

CVE-2026-9091

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

5th

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.

Vendor	casdoor
Product	casdoor
Published	May 28, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for casdoor casdoor

Be the first to know when new medium vulnerabilities affecting casdoor casdoor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Casdoor / Casdoor

0 ≤ 2.362.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

kb.cert.org: https://kb.cert.org/vuls/id/780781