CVE-2026-9095
CVE-2026-9095
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
| Vendor | casdoor |
| Product | casdoor |
| Published | May 28, 2026 |
| Last Updated | May 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for casdoor casdoor
Be the first to know when new high vulnerabilities affecting casdoor casdoor are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Casdoor / Casdoor
0 ≤ 2.362.0