CVE-2026-9092
Unverified Email Binding Leading to Account Takeover in Casdoor
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| casdoor | casdoor | to 2.362.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9092 is a vulnerability in Casdoor versions 2.362.0 and earlier involving unverified email binding that may enable account takeover.
The vulnerability arises because the function getExistUserByBindingRule matches users by email without verifying the email_verified claim from upstream identity providers.
Moreover, the idp.UserInfo struct does not include an EmailVerified field, which allows an attacker to supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized account takeover by attackers.
Because the system does not verify whether an email address is verified before binding it to a user account, an attacker can supply an unverified email claim to gain access to accounts associated with that email.
This bypasses email verification controls and facilitates unauthorized access to user accounts, potentially compromising sensitive information and user data.