PatchSiren cyber security CVE debrief
CVE-2026-9095 Casdoor CVE debrief
CVE-2026-9095 is a HIGH-severity authentication bypass vulnerability in Casdoor versions 2.362.0 and earlier, published 2026-05-28. The vulnerability stems from missing replay protection in the SAML service provider implementation. Specifically, the ParseSamlResponse() function in object/saml_sp.go processes SAML assertions without validating assertion IDs against a cache, enforcing OneTimeUse conditions, or implementing any replay detection mechanism. This allows an attacker who captures a valid SAML assertion to replay it and obtain an authenticated session for the assertion's subject—including administrative accounts—without possessing the user's password or MFA credentials. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects network attack vector, high attack complexity due to the need to capture a valid assertion, no privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability. The vulnerability is classified under CWE-294 (Authentication Bypass by Capture-replay). The CERT/CC has assigned VU#780781 to track this issue.
- Vendor
- Casdoor
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations operating Casdoor identity management platforms versions 2.362.0 or earlier, particularly those using SAML-based single sign-on integrations. Security teams responsible for identity infrastructure, SAML service provider implementations, and authentication architecture reviews. Identity and access management administrators should prioritize this vulnerability due to complete MFA bypass potential.
Technical summary
The Casdoor identity platform's SAML service provider implementation fails to implement standard replay protection mechanisms. When processing SAML responses, ParseSamlResponse() directly maps retrieved assertion information to user sessions without: (1) maintaining a cache of processed assertion IDs to detect duplicates, (2) enforcing SAML OneTimeUse conditions that constrain assertion consumption, or (3) implementing any alternative replay detection. This architectural gap permits attackers with network access to capture valid SAML assertions—through traffic interception, log analysis, or other means—and subsequently replay them to establish authenticated sessions. The attack bypasses all authentication factors bound to the original assertion issuance, including passwords and MFA, because the SAML assertion itself serves as the authentication proof. Administrative accounts are equally affected, creating significant privilege escalation risk. The high attack complexity in CVSS scoring reflects the prerequisite of obtaining a valid assertion, not technical difficulty in exploitation once captured.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Casdoor to a version newer than 2.362.0 that implements SAML assertion replay protection
- Implement assertion ID caching with expiration matching SAML assertion validity windows
- Enforce OneTimeUse condition processing in SAML response validation
- Deploy network monitoring to detect anomalous SAML assertion patterns or repeated assertion IDs
- Review authentication logs for evidence of SAML assertion replay attempts prior to patching
- Consider implementing additional session binding validation beyond SAML assertion processing
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed through CVE.org and NVD. CERT/CC reference VU#780781 provides additional authoritative context. CVSS vector and CWE classification extracted from NVD metadata. Vendor identification marked as unknown/needs review per source corpus.
Official resources
-
CVE-2026-9095 CVE record
CVE.org
-
CVE-2026-9095 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28