HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-9092Published Modified CNA certcc

CVE-2026-9092: CVE-2026-9092

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in Casdoor (versions 2.362.0 and earlier) allows an attacker to take over existing accounts by supplying an unverified email claim from an upstream identity provider. The vulnerability is reachable over the network and requires no authentication or victim interaction, because the affected getExistUserByBindingRule function matches users by email address without ever checking whether that email was verified by the upstream provider. Successful exploitation gives the attacker full control of any Casdoor account that shares the targeted email address. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-9092 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built images that bundle Casdoor. Matching covers both registry scans and in-pipeline scans so affected images are flagged before they reach production.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.1 (CRITICAL) and weighting that score against each environment's compliance policy to prioritize routing. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the Casdoor advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Casdoor service over the network; the vulnerable endpoint is exposed via the standard web-facing authentication flow (AV:N).

  • AuthenticationNot required

    No account or credentials are needed before exploiting this vulnerability; the attacker interacts as an unauthenticated user presenting a crafted identity-provider response (PR:N).

  • Victim interactionNot required

    The attack is fully attacker-driven and does not require any action from a legitimate user or administrator (UI:N).

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions, memory layout dependencies, or special environmental factors are required (AC:L).

Blast Radius

  • The attacker gains full authenticated access to any Casdoor account whose email address matches the unverified claim, effectively impersonating that account owner.
  • All data and resources accessible to the hijacked account become readable by the attacker, including profile data, linked application credentials, and any secrets stored in the account scope.
  • The attacker can modify account settings, linked identity providers, and access-control rules tied to the hijacked account, enabling persistent unauthorized changes.

How HarborGuard Handles This

Available on HarborGuard: images containing Casdoor at or below version 2.362.0 are flagged as CRITICAL the moment the CVE feed is ingested, typically within minutes of publication. Because no upstream fix exists yet, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild automatically when Casdoor ships a remediated release; for customers with auto-remediation enabled, a rebuilt image, regression test run, and PR against affected workloads will be generated without manual steps. In the meantime, compensating controls worth evaluating include network-policy isolation to restrict which services can reach the Casdoor authentication endpoint, enforcing strict allow-lists on upstream identity providers configured in Casdoor, and auditing existing accounts for signs of unauthorized email-binding changes. HarborGuard policy rules can be used to block promotion of images carrying this CVE through staging and production pipelines until a patched version is available.

See how HarborGuard automates this
Affected packages
  • Casdoor / Casdoor
    ≤ 2.362.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References