CVE-2026-9098
SAML Response Replay in Casdoor
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| casdoor | casdoor | to 2.362.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In Casdoor versions 2.362.0 and earlier, the SAML callback handler accepts any well-formed SAMLResponse sent to the /api/acs endpoint without verifying that it matches an AuthnRequest previously issued by Casdoor.
Additionally, if an administrator disables or deletes an Identity Provider (IdP) after a SAML authentication flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request.
This allows an attacker who controls a registered upstream IdP to send unsolicited SAML responses or replay a legitimately captured response in a different session or after the original flow has ended.
In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain persistent unauthorized access to the system by sending unsolicited or replayed SAML responses.
Such unauthorized access could lead to compromise of user accounts, sensitive data exposure, and potential further exploitation within the affected environment.