CVE-2026-9095
8.1 HIGHCasdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection
Published: 2026-05-28 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-294
Description
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49322 — Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-... (4.3 MEDIUM)
- CVE-2026-46538 — Microsoft UFO open-source framework for intelligent automation across devices and platforms (5.9 MEDIUM)
- CVE-2026-9398 — A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426 (3.1 LOW)
- CVE-2026-37982 — A flaw was found in Keycloak (6.8 MEDIUM)
- CVE-2026-42602 — azureauthextension is the Azure Authenticator Extension (8.1 HIGH)