These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-9098 describes an authentication bypass vulnerability in Casdoor versions 2.362.0 and earlier affecting the SAML callback handler. The vulnerability stems from two related weaknesses in the SAML assertion consumer service (ACS) implementation at `/api/acs`. First, the handler accepts any well-formed SAMLResponse without verifying that it corresponds to a previously issued AuthnRequest, violating [truncated]
Casdoor versions 2.362.0 and earlier contain a missing authorization vulnerability in the token exchange flow. The GetTokenExchangeToken() function in object/token_oauth.go validates JWT signatures and parses claims but fails to query the Token table to verify whether the subject token has been revoked or invalidated. This omission prevents administrators from terminating active sessions or revoking compr [truncated]
Casdoor versions 2.362.0 and earlier contain a SAML authentication bypass vulnerability. The application uses the gosaml2 library for SAML response processing, which correctly computes time-validation results including NotOnOrAfter and NotBefore constraints. However, the ParseSamlResponse() function in Casdoor never reads the assertionInfo.WarningInfo field where these validation results are reported. Con [truncated]
CVE-2026-9095 is a HIGH-severity authentication bypass vulnerability in Casdoor versions 2.362.0 and earlier, published 2026-05-28. The vulnerability stems from missing replay protection in the SAML service provider implementation. Specifically, the ParseSamlResponse() function in object/saml_sp.go processes SAML assertions without validating assertion IDs against a cache, enforcing OneTimeUse conditions, [truncated]
A cross-organization token exchange vulnerability exists in Casdoor versions 2.362.0 and earlier. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but fails to verify that the token's user belongs to the same organization as the target application. This missing authorization check enables privilege escalation across organizational boundaries, allowing an authenticated u [truncated]
A missing audience validation vulnerability in Casdoor's SAML service provider implementation allows cross-service provider assertion acceptance.
Casdoor versions 2.362.0 and earlier contain an authentication bypass vulnerability in the identity provider (IdP) email binding flow. The `getExistUserByBindingRule` function matches existing user accounts by email address without verifying whether the upstream IdP has confirmed email ownership. The `idp.UserInfo` struct lacks an `EmailVerified` field entirely, preventing any validation of the `email_ver [truncated]
A logic flaw in Casdoor versions 2.362.0 and earlier allows MFA bypass during social-login binding. The binding-rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, permitting authentication without enforced MFA.