How is CVE-2026-9093 exploited?

Network reachability (required): The vulnerable SAML endpoint is exposed over the network, so an attacker must be able to reach the Casdoor service via HTTP/HTTPS from a remote origin. Authentication (not-required): No credentials are required; the attacker supplies a SAML assertion in the place of legitimate authentication, bypassing the credential check entirely. Victim interaction (not-required): No victim action is needed; the attacker sends a crafted SAML assertion directly to the service provider endpoint without any user involvement. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and condition-free once the attacker possesses or can forge a SAML assertion from any other service provider.

What is the impact of CVE-2026-9093?

A successful attacker is accepted as an authenticated user in Casdoor, gaining read access to all identity data, stored credentials, and user records managed by the instance. The attacker can modify user accounts, roles, and access policies, effectively controlling downstream applications that rely on Casdoor for authentication. The attacker can delete or corrupt identity records and configurations, causing denial of authentication services for legitimate users across integrated applications.

Back to search

CRITICALCVE-2026-9093Published 2026-05-28Modified 2026-06-02CNA certcc

CVE-2026-9093: CVE-2026-9093

In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in Casdoor, an open-source identity and access management server. The flaw is reachable over the network without any credentials and requires no user interaction, as derived from the CVSS vector (AV:N/AC:L/PR:N/UI:N). An attacker who can obtain or forge a SAML assertion issued for any other service provider can present it to Casdoor and be accepted as a valid authenticated user, enabling full account takeover and access to protected resources. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-9093 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected Casdoor base layers.

Available

Triage

Triage is available using the CVSS v3.1 score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine severity priority; findings are routed automatically to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Casdoor ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable SAML endpoint is exposed over the network, so an attacker must be able to reach the Casdoor service via HTTP/HTTPS from a remote origin.
AuthenticationNot required
No credentials are required; the attacker supplies a SAML assertion in the place of legitimate authentication, bypassing the credential check entirely.
Victim interactionNot required
No victim action is needed; the attacker sends a crafted SAML assertion directly to the service provider endpoint without any user involvement.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free once the attacker possesses or can forge a SAML assertion from any other service provider.

Blast Radius

A successful attacker is accepted as an authenticated user in Casdoor, gaining read access to all identity data, stored credentials, and user records managed by the instance.
The attacker can modify user accounts, roles, and access policies, effectively controlling downstream applications that rely on Casdoor for authentication.
The attacker can delete or corrupt identity records and configurations, causing denial of authentication services for legitimate users across integrated applications.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-9093 has been published, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as Casdoor releases a remediated version. In the interim, compensating controls are worth considering: network policy rules that restrict access to the Casdoor SAML endpoint to known, trusted identity provider IP ranges; egress filtering on containers running Casdoor to limit lateral movement if the service is compromised; and, where the deployment allows it, disabling SAML SP functionality via feature configuration until a patch is available. For customers with auto-remediation enabled, the moment an upstream fix is published, HarborGuard will produce a rebuilt image, run regression tests, and open a PR against affected workloads without requiring manual steps.

See how HarborGuard automates this

Affected packages

Casdoor / Casdoor
≤ 2.362.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

kb.cert.org

Metrics

Get notified