CVE-2026-9093
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/05/2026
Last modified:
02/06/2026
Description
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL



