PatchSiren cyber security CVE debrief
CVE-2026-9091 Casdoor CVE debrief
A logic flaw in Casdoor versions 2.362.0 and earlier allows MFA bypass during social-login binding. The binding-rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, permitting authentication without enforced MFA.
- Vendor
- Casdoor
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations using Casdoor for identity management with MFA requirements; security teams responsible for authentication infrastructure; developers maintaining Casdoor deployments
Technical summary
The vulnerability exists in the social-login binding flow where the binding-rule code path directly invokes HandleLoggedIn without calling checkMfaEnable. This omission allows users authenticating via this path to complete login without MFA verification, bypassing configured MFA requirements.
Defensive priority
high
Recommended defensive actions
- Review Casdoor social-login binding implementation in controllers/auth.go
- Verify MFA enforcement on all authentication code paths, particularly HandleLoggedIn invocations
- Upgrade to Casdoor version beyond 2.362.0 when available
- Audit authentication logs for unexpected MFA bypass events
- Monitor CERT/CC advisory for vendor response
Evidence notes
NVD record published 2026-05-28T17:16:33.953Z, modified 2026-05-28T18:00:22.543Z. VulnStatus: Deferred. CERT/CC reference provided.
Official resources
-
CVE-2026-9091 CVE record
CVE.org
-
CVE-2026-9091 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28T17:16:33.953Z