CVE-2026-9095

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/05/2026
Last modified:
28/05/2026

Description

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.

References to Advisories, Solutions, and Tools