CVE-2026-9093 Casdoor CVE debrief

Who should care

Organizations using Casdoor versions 2.362.0 or earlier for SAML-based authentication; security teams managing identity federation infrastructure; developers maintaining Casdoor deployments.

Technical summary

The vulnerability exists in Casdoor's SAML service provider implementation within `object/saml_sp.go`. The `buildSp` function fails to set `AudienceURI` on the underlying `gosaml2.SAMLServiceProvider` struct and does not check `WarningInfo.NotInAudience` after assertion validation. This omission allows SAML assertions intended for other service providers to be accepted by Casdoor, as the audience restriction—a critical security control in SAML—is not enforced. An attacker with access to a valid SAML assertion issued for a different service provider could potentially authenticate to Casdoor using that assertion.

Defensive priority

high

Recommended defensive actions

• Upgrade Casdoor to a version newer than 2.362.0 that implements proper AudienceURI validation in the SAML service provider.
• Review SAML assertion handling in `object/saml_sp.go` to ensure `AudienceURI` is set on the `gosaml2.SAMLServiceProvider` struct and `WarningInfo.NotInAudience` is inspected.
• Audit authentication logs for SAML assertions that may have been accepted without proper audience validation.
• Configure SAML identity providers to include strict AudienceRestriction elements in assertions as a defense-in-depth measure.

Evidence notes

CVE published 2026-05-28T17:16:34.210Z; modified 2026-05-28T18:00:22.543Z. CERT/CC VU#780781 reference present.

Official resources