CVE-2026-9094 Casdoor CVE debrief

Who should care

Organizations running Casdoor identity and access management platform for multi-tenant or multi-organization deployments; security teams managing OAuth 2.0 token exchange implementations; Casdoor administrators responsible for cross-organization access controls

Technical summary

The vulnerability resides in the GetTokenExchangeToken function within object/token_oauth.go. While JWT signature validation is performed, the implementation lacks verification that the authenticated user belongs to the same organization as the target application for which tokens are being exchanged. This authorization gap permits authenticated users to exchange tokens across organizational boundaries, resulting in privilege escalation. The flaw is structural in the token exchange flow and affects all deployments running version 2.362.0 or earlier.

Defensive priority

high

Recommended defensive actions

• Upgrade Casdoor to a version newer than 2.362.0 when available
• Review application logs for cross-organization token exchange requests prior to patch deployment
• Implement additional authorization checks at the application layer to validate user-organization membership before token exchange
• Monitor for anomalous token requests across organizational boundaries
• Subscribe to vendor security advisories for Casdoor to receive patch notifications

Evidence notes

Vulnerability description sourced from official CVE record. Affected versions confirmed as 2.362.0 and earlier. VulnStatus: Deferred per NVD source data. CERT/CC reference provided but no additional technical details available in supplied corpus.

Official resources