SAML Assertion Vulnerability in Casdoor by Netease
CVE-2026-9096
7.5HIGH
What is CVE-2026-9096?
Casdoor versions up to 2.362.0 possess a vulnerability that compromises the enforcement of time bounds on SAML assertions. The libraries used, including gosaml2, are capable of validating time constraints, but the critical validation results are not utilized in the user session management process. Specifically, the ParseSamlResponse() function fails to read the assertionInfo.WarningInfo field, which contains vital warnings about the NotOnOrAfter and NotBefore conditions. As a result, users can be issued sessions without proper time validation, potentially leading to unauthorized access.
Affected Version(s)
Casdoor 0 <= 2.362.0
