How is CVE-2026-9095 exploited?

Network reachability (required): The attacker must be able to reach the Casdoor SAML SP endpoint over the network, as the attack vector is Network (AV:N). Authentication (not-required): No credentials are needed before exploitation; the attacker only needs a previously captured SAML assertion (PR:N). Victim interaction (not-required): No victim action is required; the attacker submits the replayed assertion directly to the SP endpoint (UI:N). Attack complexity (info): Attack complexity is High (AC:H), meaning the attacker must first obtain a valid SAML assertion through interception or exfiltration before the replay is possible.

What is the impact of CVE-2026-9095?

Attacker gains an authenticated session for the assertion subject, including any administrator account, without knowing the user's password or MFA secret. Full read access to all data visible to the impersonated account, including other users' profiles, access-control rules, and connected application credentials stored in Casdoor. Full write access under the impersonated identity, allowing modification of user roles, OAuth client configurations, and identity-provider settings. Service integrity is fully compromised: an attacker with replayed admin credentials can disable MFA enforcement, add backdoor accounts, or alter SAML/OIDC provider trust relationships.

Back to search

HIGHCVE-2026-9095Published 2026-05-28Modified 2026-05-28CNA certcc

CVE-2026-9095: CVE-2026-9095

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass via SAML assertion replay affects Casdoor versions 2.362.0 and earlier. The vulnerability is reachable over the network and requires no authentication; an attacker who has captured a valid SAML assertion can replay it to obtain an authenticated session for any user, including administrators, bypassing password and MFA checks entirely. HarborGuard is tracking the advisory for patch availability, as no fix version has been published upstream.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-9095 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Casdoor at an affected version.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 HIGH using the published v3.1 vector and is capable of weighting it further against each environment's compliance policy before routing the alert to the appropriate team inbox within a customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle; the moment an upstream patch ships, a patched-image rebuild will become available and, for customers with auto-remediation enabled, a regression run and PR against affected workloads will be triggered automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Casdoor SAML SP endpoint over the network, as the attack vector is Network (AV:N).
AuthenticationNot required
No credentials are needed before exploitation; the attacker only needs a previously captured SAML assertion (PR:N).
Victim interactionNot required
No victim action is required; the attacker submits the replayed assertion directly to the SP endpoint (UI:N).
Attack complexityDetail
Attack complexity is High (AC:H), meaning the attacker must first obtain a valid SAML assertion through interception or exfiltration before the replay is possible.

Blast Radius

Attacker gains an authenticated session for the assertion subject, including any administrator account, without knowing the user's password or MFA secret.
Full read access to all data visible to the impersonated account, including other users' profiles, access-control rules, and connected application credentials stored in Casdoor.
Full write access under the impersonated identity, allowing modification of user roles, OAuth client configurations, and identity-provider settings.
Service integrity is fully compromised: an attacker with replayed admin credentials can disable MFA enforcement, add backdoor accounts, or alter SAML/OIDC provider trust relationships.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-9095 as of the publication date, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment Casdoor ships a corrected release. In the interim, customers can apply compensating controls directly in their environment: restrict network access to the Casdoor SAML SP endpoint using Kubernetes NetworkPolicy or equivalent egress filtering so that only trusted identity-provider IP ranges can POST to the ACS URL; enable audit logging on Casdoor's session-creation path to detect repeated logins from the same assertion subject in a short window; and consider temporarily disabling SAML-based login in favor of local or OIDC authentication if the deployment posture permits it. For customers with auto-remediation enabled, once upstream publishes a fix, HarborGuard will rebuild affected images at the patched version, run regression tests, and open a PR against affected workloads automatically.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Casdoor / Casdoor
≤ 2.362.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

kb.cert.org