CVE-2026-9098
Deferred Deferred - Pending Action
SAML Response Replay in Casdoor

Publication date: 2026-05-28

Last updated on: 2026-06-02

Assigner: CERT/CC

Description
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-02
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9098
EUVD
EUVD-2026-32952
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
casdoor casdoor to 2.362.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

In Casdoor versions 2.362.0 and earlier, the SAML callback handler accepts any well-formed SAMLResponse sent to the /api/acs endpoint without verifying that it matches an AuthnRequest previously issued by Casdoor.

Additionally, if an administrator disables or deletes an Identity Provider (IdP) after a SAML authentication flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request.

This allows an attacker who controls a registered upstream IdP to send unsolicited SAML responses or replay a legitimately captured response in a different session or after the original flow has ended.

In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.

Impact Analysis

This vulnerability can allow an attacker to gain persistent unauthorized access to the system by sending unsolicited or replayed SAML responses.

Such unauthorized access could lead to compromise of user accounts, sensitive data exposure, and potential further exploitation within the affected environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart