SAML Assertion Vulnerability in Casdoor by Netease
CVE-2026-9096

7.5HIGH

Key Information:

Vendor

Casdoor

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-9096?

Casdoor versions up to 2.362.0 possess a vulnerability that compromises the enforcement of time bounds on SAML assertions. The libraries used, including gosaml2, are capable of validating time constraints, but the critical validation results are not utilized in the user session management process. Specifically, the ParseSamlResponse() function fails to read the assertionInfo.WarningInfo field, which contains vital warnings about the NotOnOrAfter and NotBefore conditions. As a result, users can be issued sessions without proper time validation, potentially leading to unauthorized access.

Affected Version(s)

Casdoor 0 <= 2.362.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.