PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9096 Casdoor CVE debrief

Casdoor versions 2.362.0 and earlier contain a SAML authentication bypass vulnerability. The application uses the gosaml2 library for SAML response processing, which correctly computes time-validation results including NotOnOrAfter and NotBefore constraints. However, the ParseSamlResponse() function in Casdoor never reads the assertionInfo.WarningInfo field where these validation results are reported. Consequently, expired or not-yet-valid SAML assertions are accepted, allowing authentication with stale or prematurely issued credentials. The vulnerability was published on 2026-05-28 and remains in Deferred status per NVD. No CVSS score or severity has been assigned. CERT/CC has published additional guidance under VU#780781.

Vendor
Casdoor
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations using Casdoor for SAML-based single sign-on, identity and access management teams, security engineers responsible for federated authentication infrastructure

Technical summary

The gosaml2 library used by Casdoor performs proper SAML assertion time validation and returns results in assertionInfo.WarningInfo. Casdoor's ParseSamlResponse() fails to inspect this field, causing all time-bound checks to be silently ignored. Attackers with access to expired or future-dated SAML assertions could authenticate to affected systems.

Defensive priority

high

Recommended defensive actions

  • Upgrade Casdoor to a version newer than 2.362.0 when available
  • Review SAML assertion handling code to ensure WarningInfo validation results are processed
  • Implement additional SAML assertion time bound checks at the application layer as defense in depth
  • Monitor authentication logs for anomalous SAML response patterns
  • Subscribe to Casdoor security advisories for patch availability

Evidence notes

CVE description confirms gosaml2 library computes time bounds but Casdoor discards WarningInfo field. NVD status shows Deferred. CERT/CC reference provides additional authoritative context.

Official resources

2026-05-28