SAML Callback Handler Vulnerability in Casdoor Authentication System
CVE-2026-9098

9.1CRITICAL

Key Information:

Vendor

Casdoor

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-9098?

In Casdoor versions prior to 2.362.0, the SAML callback handler is susceptible to a significant security flaw. This vulnerability enables the acceptance of any well-formed SAMLResponse sent to the /api/acs endpoint without proper validation against a previously issued AuthnRequest by Casdoor. Furthermore, if an administrator disables or removes an Identity Provider (IdP) during an ongoing SAML flow, the system continues to process the response based on the original provider snapshot. Consequently, this allows an attacker with control over a registered upstream IdP to submit unsolicited SAML responses or replay valid responses from previous sessions, resulting in unrestricted session creation and persistent access.

Affected Version(s)

Casdoor 0 <= 2.362.0

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.