CVE-2026-9098
Summary
| CVE | CVE-2026-9098 |
|---|---|
| State | PUBLISHED |
| Assigner | certcc |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-28 17:16:34 UTC |
| Updated | 2026-05-28 18:00:22 UTC |
| Description | In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access. |
Risk And Classification
EPSS: 0.000100000 probability, percentile 0.012060000 (date 2026-05-29)
Problem Types: CWE-346 Origin Validation Error
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| kb.cert.org/vuls/id/780781 | [email protected] | kb.cert.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.