How is CVE-2026-9090 exploited?

Network reachability (required): The attacker must reach the Casdoor SAML endpoint over the network; no prior foothold on the host is needed. Authentication (not-required): No account or credential is required; the attacker interacts with the unauthenticated SAML login flow directly. Victim interaction (not-required): No user action is needed; the attacker submits a crafted SAMLResponse directly to the service. Attack complexity (info): Exploit conditions are straightforward and reliable; no race conditions or special environmental factors are required to forge a valid-looking assertion.

What is the impact of CVE-2026-9090?

An attacker can authenticate as any user in the system, including administrators, by forging a SAML assertion signed with an attacker-controlled certificate. All data readable by the impersonated account is exposed, including user records, application configurations, and stored credentials managed by Casdoor. An attacker with admin-level access can modify user accounts, OAuth client registrations, identity provider configurations, and access control policies.

Back to search

CRITICALCVE-2026-9090Published 2026-05-28Modified 2026-05-29CNA certcc

CVE-2026-9090: CVE-2026-9090

Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass vulnerability in Casdoor versions 2.362.0 and earlier. The flaw is reachable over the network and requires no authentication, because the affected SAML processing function trusts a certificate supplied by the attacker inside the incoming SAMLResponse rather than validating against the pre-configured Identity Provider certificate. Successful exploitation lets an attacker forge SAML assertions and log in as any user, including administrators, giving full read and write access to data the compromised account can reach. HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix version is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-9090 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that embed Casdoor. Any image found to include an affected version of Casdoor is flagged immediately.

Available

Triage

Triage is available with the full CVSS v3.1 score of 9.1 (Critical) surfaced alongside each finding, weighted against each customer environment's compliance policy to determine urgency and priority. Routing to the appropriate team or inbox within a customer organization is handled automatically based on those policy settings.

Available

Patch

Because no fix version has been published yet, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Casdoor SAML endpoint over the network; no prior foothold on the host is needed.
AuthenticationNot required
No account or credential is required; the attacker interacts with the unauthenticated SAML login flow directly.
Victim interactionNot required
No user action is needed; the attacker submits a crafted SAMLResponse directly to the service.
Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions or special environmental factors are required to forge a valid-looking assertion.

Blast Radius

An attacker can authenticate as any user in the system, including administrators, by forging a SAML assertion signed with an attacker-controlled certificate.
All data readable by the impersonated account is exposed, including user records, application configurations, and stored credentials managed by Casdoor.
An attacker with admin-level access can modify user accounts, OAuth client registrations, identity provider configurations, and access control policies.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-9090 as of publication, HarborGuard continuously monitors the advisory and re-evaluates affected images on every ingest cycle. When an upstream patch is released, a patched-image rebuild will become available immediately, and customers with auto-remediation enabled will receive a rebuild, regression test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include isolating Casdoor instances behind a network policy that restricts SAML endpoint access to known Identity Provider IP ranges, applying egress filtering to limit lateral movement from a compromised instance, and disabling SAML-based login in favor of alternative authentication methods if Casdoor supports that configuration. HarborGuard will surface an updated finding and remediation path as soon as the upstream project publishes a fix.

See how HarborGuard automates this

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Casdoor / Casdoor
≤ 2.362.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

kb.cert.org