Account Takeover Vulnerability in Casdoor by IDP Provider
CVE-2026-9092

9.1CRITICAL

Key Information:

Vendor

Casdoor

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-9092?

Casdoor versions 2.362.0 and earlier are susceptible to a vulnerability that allows attackers to exploit unverified email bindings. The flaw exists in the getExistUserByBindingRule function, which retrieves users based solely on their email without validating the email_verified claim from upstream identity providers. Consequently, an attacker could provide a fake, unverified email claim from an identity provider, enabling them to seize control of accounts linked to that email address. This vulnerability highlights the critical need for robust verification processes to protect user accounts from unauthorized access.

Affected Version(s)

Casdoor 0 <= 2.362.0

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.