SAML Callback Handler Vulnerability in Casdoor Authentication System
CVE-2026-9098
9.1CRITICAL
What is CVE-2026-9098?
In Casdoor versions prior to 2.362.0, the SAML callback handler is susceptible to a significant security flaw. This vulnerability enables the acceptance of any well-formed SAMLResponse sent to the /api/acs endpoint without proper validation against a previously issued AuthnRequest by Casdoor. Furthermore, if an administrator disables or removes an Identity Provider (IdP) during an ongoing SAML flow, the system continues to process the response based on the original provider snapshot. Consequently, this allows an attacker with control over a registered upstream IdP to submit unsolicited SAML responses or replay valid responses from previous sessions, resulting in unrestricted session creation and persistent access.
Affected Version(s)
Casdoor 0 <= 2.362.0
