Account Takeover Vulnerability in Casdoor by IDP Provider
CVE-2026-9092
9.1CRITICAL
What is CVE-2026-9092?
Casdoor versions 2.362.0 and earlier are susceptible to a vulnerability that allows attackers to exploit unverified email bindings. The flaw exists in the getExistUserByBindingRule function, which retrieves users based solely on their email without validating the email_verified claim from upstream identity providers. Consequently, an attacker could provide a fake, unverified email claim from an identity provider, enabling them to seize control of accounts linked to that email address. This vulnerability highlights the critical need for robust verification processes to protect user accounts from unauthorized access.
Affected Version(s)
Casdoor 0 <= 2.362.0
