CVE-2026-9092
Deferred Deferred - Pending Action
Unverified Email Binding Leading to Account Takeover in Casdoor

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: CERT/CC

Description
Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9092
EUVD
EUVD-2026-32943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
casdoor casdoor to 2.362.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9092 is a vulnerability in Casdoor versions 2.362.0 and earlier involving unverified email binding that may enable account takeover.

The vulnerability arises because the function getExistUserByBindingRule matches users by email without verifying the email_verified claim from upstream identity providers.

Moreover, the idp.UserInfo struct does not include an EmailVerified field, which allows an attacker to supply an unverified email claim from an upstream provider to take over accounts that use the same email address.

Impact Analysis

This vulnerability can lead to unauthorized account takeover by attackers.

Because the system does not verify whether an email address is verified before binding it to a user account, an attacker can supply an unverified email claim to gain access to accounts associated with that email.

This bypasses email verification controls and facilitates unauthorized access to user accounts, potentially compromising sensitive information and user data.

Compliance Impact

The vulnerability in Casdoor allows attackers to take over user accounts by exploiting unverified email binding, which bypasses email verification controls.

This unauthorized access risk can lead to violations of common standards and regulations such as GDPR and HIPAA, which require strict controls on user identity verification and protection of personal data.

By enabling account takeover through unverified email claims, the vulnerability undermines the integrity and confidentiality of user data, potentially resulting in non-compliance with these regulations.

Mitigation Strategies

To mitigate this vulnerability, ensure that the application verifies the email_verified claim from upstream identity providers before binding email addresses to user accounts.

Since the idp.UserInfo struct lacks an EmailVerified field, update or patch Casdoor to a version that includes proper verification of email claims or implement additional checks to confirm email verification status.

Avoid accepting unverified email claims from upstream providers to prevent attackers from taking over accounts using the same email address.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart