How is CVE-2026-9094 exploited?

Network reachability (required): The vulnerable token exchange endpoint is exposed over the network, so an attacker must be able to reach the Casdoor service via standard network connectivity. Authentication (not-required): No credentials or existing session are needed; the attacker supplies only a valid JWT issued by any organization within the same Casdoor instance. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator to succeed. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs a legitimately issued JWT from any organization, with no race conditions or environmental factors to navigate.

What is the impact of CVE-2026-9094?

A successful attacker reads data and resources belonging to an arbitrary target organization within the Casdoor instance, including user records, application configurations, and any secrets the identity platform exposes via its API. The attacker can modify organization-scoped data, including user roles, application settings, and access-control rules, by operating under the forged cross-organization token. Because the attacker obtains a fully valid token for the target organization, they can disable accounts, revoke legitimate sessions, or lock administrators out of their own organization. The confidentiality, integrity, and availability of every tenant sharing the same Casdoor deployment are affected, making this a full multi-tenant boundary break.

Back to search

CRITICALCVE-2026-9094Published 2026-05-28Modified 2026-06-02CNA certcc

CVE-2026-9094: CVE-2026-9094

Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass and privilege escalation vulnerability in Casdoor, an open-source identity and access management platform. The flaw is reachable over the network with no authentication required, as derived from the CVSS vector (AV:N, PR:N). A remote attacker can exchange a valid JWT from one organization to obtain a token scoped to a different organization, crossing tenant boundaries and gaining unauthorized access to resources, data, or administrative functions within the target organization. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Casdoor at any affected version up to and including 2.362.0.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Casdoor advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable token exchange endpoint is exposed over the network, so an attacker must be able to reach the Casdoor service via standard network connectivity.
AuthenticationNot required
No credentials or existing session are needed; the attacker supplies only a valid JWT issued by any organization within the same Casdoor instance.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator to succeed.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs a legitimately issued JWT from any organization, with no race conditions or environmental factors to navigate.

Blast Radius

A successful attacker reads data and resources belonging to an arbitrary target organization within the Casdoor instance, including user records, application configurations, and any secrets the identity platform exposes via its API.
The attacker can modify organization-scoped data, including user roles, application settings, and access-control rules, by operating under the forged cross-organization token.
Because the attacker obtains a fully valid token for the target organization, they can disable accounts, revoke legitimate sessions, or lock administrators out of their own organization.
The confidentiality, integrity, and availability of every tenant sharing the same Casdoor deployment are affected, making this a full multi-tenant boundary break.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-9094 as of the publication date, HarborGuard continuously monitors the Casdoor advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published. In the interim, customers can apply compensating controls directly: network-policy isolation limiting which services can reach the Casdoor token exchange endpoint, egress filtering to prevent lateral movement using a forged token, and where Casdoor is deployed as a sidecar or internal service, restricting its exposure to only the namespaces or pods that require it. For customers with auto-remediation enabled, the rebuild plus regression test run and PR against affected workloads will begin within minutes of an upstream fix being published, with median time from CVE patch publication to merged PR around 90 minutes for Critical-severity issues in auto-remediation-enabled environments.

See how HarborGuard automates this

Affected packages

Casdoor / Casdoor
≤ 2.362.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

kb.cert.org

Metrics

Get notified