CVE-2026-9097 Casdoor CVE debrief

Who should care

Organizations using Casdoor for identity and access management, particularly those relying on token revocation for incident response or compromised credential handling. Security teams responsible for OAuth/OIDC implementation security and session lifecycle management.

Technical summary

The vulnerability exists in the OAuth token exchange implementation where JWT validation is incomplete. While cryptographic signature verification and claim extraction are performed, the system does not verify whether the token has been administratively revoked. This creates a gap between token lifecycle management (revocation capability) and token validation logic, effectively rendering revocation operations non-functional for token exchange flows.

Defensive priority

high

Recommended defensive actions

• Review Casdoor token exchange implementation in object/token_oauth.go to confirm GetTokenExchangeToken() behavior
• Implement Token table query to verify revocation status before completing token exchange
• Establish token lifecycle management procedures including explicit revocation checks for all token types
• Monitor for updates to Casdoor addressing this vulnerability
• Consider implementing additional session monitoring and anomaly detection for token exchange patterns

Evidence notes

The vulnerability description indicates that signature validation and claim parsing occur without subsequent revocation status verification against the Token table. The CVE was published on 2026-05-28 and modified later the same day. No CVSS score or severity rating is currently available in the source data.

Official resources