PatchSiren cyber security CVE debrief

CVE-2026-9098 Casdoor CVE debrief

CVE-2026-9098 describes an authentication bypass vulnerability in Casdoor versions 2.362.0 and earlier affecting the SAML callback handler. The vulnerability stems from two related weaknesses in the SAML assertion consumer service (ACS) implementation at `/api/acs`. First, the handler accepts any well-formed SAMLResponse without verifying that it corresponds to a previously issued AuthnRequest, violating the SAML protocol's request-response correlation requirement. Second, the handler uses a provider snapshot loaded at request start time, meaning it will continue processing responses even if an administrator has subsequently disabled or deleted the upstream IdP. An attacker controlling a registered IdP can exploit these weaknesses by sending unsolicited SAML responses or replaying legitimately captured responses in different sessions or after the original authentication flow has ended. In both scenarios, Casdoor accepts the response and issues a valid session, resulting in persistent unauthorized access. The vulnerability was published on 2026-05-28 and subsequently modified later that same day. No CVSS score or severity rating has been assigned in the available sources. The vulnerability status is currently listed as 'Deferred' in the National Vulnerability Database.

Vendor: Casdoor
Product: Unknown
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-28
Advisory published: 2026-05-28
Advisory updated: 2026-05-28

Who should care

Organizations operating Casdoor identity and access management infrastructure, particularly those with SAML-based single sign-on integrations. Security teams responsible for federated authentication architectures, identity provider governance, and SSO security monitoring. Development teams maintaining Casdoor deployments or forks. Compliance officers overseeing identity assurance and access control requirements in regulated environments.

Technical summary

The vulnerability exists in the SAML assertion consumer service implementation within Casdoor's authentication controller. The handler at `/api/acs` fails to implement two critical SAML security controls: (1) InResponseTo validation to correlate SAML responses with pending authentication requests, and (2) runtime validation of IdP configuration state against current rather than cached provider metadata. The code path in `controllers/auth.go` processes SAMLResponse parameters without verifying the InResponseTo attribute matches a valid, unexpired AuthnRequest ID stored in the user's session. Additionally, the provider configuration snapshot taken at request initialization is not revalidated against the current IdP registry state before session issuance. This architectural weakness allows an attacker with control of a registered IdP to inject arbitrary authentication assertions outside the normal flow boundaries, or to replay captured assertions across temporal and session boundaries. The attack results in complete authentication bypass with session establishment under the attacker's chosen identity attributes.

Defensive priority

high

Recommended defensive actions

Review SAML IdP configurations and disable any untrusted or unnecessary identity providers immediately
Implement network-level restrictions to limit access to the `/api/acs` endpoint to trusted IdP IP ranges where possible
Monitor authentication logs for anomalous SAML response patterns including responses without corresponding AuthnRequest initiations
Apply vendor patches when available; prioritize upgrading Casdoor to a version beyond 2.362.0 that implements proper SAML request-response correlation
Consider implementing additional session validation controls to detect and prevent replay of SAML assertions across sessions
Review and strengthen IdP lifecycle management procedures to ensure disabled or deleted providers cannot be exploited through cached snapshots

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details regarding the SAML callback handler location (`controllers/auth.go`) and endpoint (`/api/acs`) are drawn directly from the CVE description. The affected version range (2.362.0 and earlier) is explicitly stated in the official record. The CERT/CC Vulnerability Note (VU#780781) is referenced as an additional source but was not directly consulted for this debrief.

Official resources

2026-05-28