How is CVE-2026-9096 exploited?

Network reachability (required): The attacker must reach the Casdoor SAML endpoint over the network; no local or physical access is required. Authentication (not-required): No credentials are needed; the attacker submits a crafted or replayed SAML assertion without any prior login. Victim interaction (not-required): The attack targets the server-side SAML response parser directly and requires no action from another user. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs a valid (or previously valid) SAML assertion, with no race conditions or environmental constraints.

What is the impact of CVE-2026-9096?

An attacker replays an expired or future-dated SAML assertion and obtains a fully authenticated session for any identity asserted in that token, including administrator accounts. Depending on the role encoded in the replayed assertion, the attacker can read, modify, or delete user records, OAuth clients, and identity-provider configurations stored in Casdoor. A compromised Casdoor instance acts as an upstream identity provider for downstream applications, so session hijacking here propagates access across every service that trusts Casdoor for authentication.

Back to search

HIGHCVE-2026-9096Published 2026-05-28Modified 2026-06-02CNA certcc

CVE-2026-9096: CVE-2026-9096

Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in Casdoor, an open-source identity and access management server, affecting versions 2.362.0 and earlier. The flaw is reachable over the network with no credentials or user interaction required. A remote, unauthenticated attacker can replay expired or not-yet-valid SAML assertions to create arbitrary user sessions, bypassing time-based replay protection entirely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Casdoor or its dependencies. Any image at Casdoor 2.362.0 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 (High) and weights it against each customer environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Casdoor releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Casdoor SAML endpoint over the network; no local or physical access is required.
AuthenticationNot required
No credentials are needed; the attacker submits a crafted or replayed SAML assertion without any prior login.
Victim interactionNot required
The attack targets the server-side SAML response parser directly and requires no action from another user.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs a valid (or previously valid) SAML assertion, with no race conditions or environmental constraints.

Blast Radius

An attacker replays an expired or future-dated SAML assertion and obtains a fully authenticated session for any identity asserted in that token, including administrator accounts.
Depending on the role encoded in the replayed assertion, the attacker can read, modify, or delete user records, OAuth clients, and identity-provider configurations stored in Casdoor.
A compromised Casdoor instance acts as an upstream identity provider for downstream applications, so session hijacking here propagates access across every service that trusts Casdoor for authentication.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously monitors the Casdoor advisory on every ingest cycle and will surface a patched-image rebuild the moment a corrected version is published. In the interim, customers are advised to apply network-policy controls that restrict which services can POST to the Casdoor SAML assertion-consumer endpoint, reducing the pool of hosts that can deliver a replayed assertion. Where feasible, disabling or sandboxing the SAML provider integration until a patch is available eliminates the vulnerable code path entirely. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically once an upstream fix version is confirmed.

See how HarborGuard automates this

Affected packages

Casdoor / Casdoor
≤ 2.362.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

kb.cert.org

Metrics

Get notified