PatchSiren cyber security CVE debrief
CVE-2026-9092 Casdoor CVE debrief
Casdoor versions 2.362.0 and earlier contain an authentication bypass vulnerability in the identity provider (IdP) email binding flow. The `getExistUserByBindingRule` function matches existing user accounts by email address without verifying whether the upstream IdP has confirmed email ownership. The `idp.UserInfo` struct lacks an `EmailVerified` field entirely, preventing any validation of the `email_verified` claim from OAuth/OIDC providers. An attacker can authenticate through a compromised or malicious IdP account with an unverified email claim that matches a victim's registered email address, causing Casdoor to bind the attacker's IdP identity to the victim's existing account and enabling complete account takeover.
- Vendor
- Casdoor
- Product
- Unknown
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations operating Casdoor identity and access management platforms; security teams managing OAuth/OIDC federation; developers implementing custom IdP integrations
Technical summary
The vulnerability exists in Casdoor's IdP user matching logic where `getExistUserByBindingRule` performs email-based lookups without validating the `email_verified` claim from upstream providers. The `idp.UserInfo` struct lacks an `EmailVerified` field, making verification impossible in current implementations. Attackers can exploit this by supplying unverified email claims from compromised IdP accounts to hijack existing Casdoor accounts sharing the same email address.
Defensive priority
high
Recommended defensive actions
- Audit Casdoor IdP integration configurations to identify deployments using email-based account binding
- Review upstream identity provider configurations to enforce email verification requirements at the IdP level before Casdoor authentication
- Monitor authentication logs for anomalous IdP binding events, particularly where email claims change or new IdP associations occur for existing accounts
- Apply vendor patches when available; prioritize updates to Casdoor versions addressing the `idp.UserInfo` struct and `getExistUserByBindingRule` validation logic
- Consider implementing additional email verification workflows for new IdP bindings as a compensating control until patch deployment
Evidence notes
Vulnerability description confirms the `getExistUserByBindingRule` function performs email-based user matching without `email_verified` claim validation. The `idp.UserInfo` struct omission of `EmailVerified` field is architecturally confirmed in description. CERT/CC VU#780781 reference indicates coordinated disclosure. NVD status 'Deferred' suggests ongoing analysis or vendor coordination.
Official resources
-
CVE-2026-9092 CVE record
CVE.org
-
CVE-2026-9092 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28