How is CVE-2026-9097 exploited?

Network reachability (required): The vulnerable token exchange endpoint is exposed over the network, so an attacker must be able to reach the Casdoor service via HTTP/HTTPS. Authentication (not-required): No account or credential is required to initiate the token exchange request; possession of any previously issued JWT (including a revoked one) is sufficient. Victim interaction (not-required): The attacker acts entirely server-side against the token exchange endpoint; no user needs to click a link or take any action. Attack complexity (info): Exploitation is reliable and condition-free: the attacker only needs a JWT whose signature was once valid, with no race conditions or environment-specific factors required.

What is the impact of CVE-2026-9097?

An attacker with a revoked or expired JWT obtains a fresh, valid access token and gains full access to the Casdoor-protected application on behalf of the token subject. Confidential data accessible to the impersonated user, such as stored session credentials, user profile records, and connected application data, is readable by the attacker. The attacker can modify or delete resources within the impersonated user's permissions, including user account settings and linked identity provider configurations. The attacker can sustain access indefinitely by repeatedly exchanging tokens, making administrative session termination ineffective for as long as the vulnerability is unpatched.

Back to search

CRITICALCVE-2026-9097Published 2026-05-28Modified 2026-06-02CNA certcc

CVE-2026-9097: CVE-2026-9097

Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in Casdoor versions 2.362.0 and earlier due to missing token revocation checks in the OAuth token exchange flow. The flaw is reachable over the network with no authentication required, and no user interaction is needed to trigger it. Successful exploitation allows an attacker holding any previously issued JWT, even one that has been administratively revoked, to obtain a valid new access token and fully impersonate the token subject. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Casdoor at an affected version. Any image in a connected registry or CI pipeline that contains Casdoor 2.362.0 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 Critical and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment Casdoor ships a corrective release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable token exchange endpoint is exposed over the network, so an attacker must be able to reach the Casdoor service via HTTP/HTTPS.
AuthenticationNot required
No account or credential is required to initiate the token exchange request; possession of any previously issued JWT (including a revoked one) is sufficient.
Victim interactionNot required
The attacker acts entirely server-side against the token exchange endpoint; no user needs to click a link or take any action.
Attack complexityDetail
Exploitation is reliable and condition-free: the attacker only needs a JWT whose signature was once valid, with no race conditions or environment-specific factors required.

Blast Radius

An attacker with a revoked or expired JWT obtains a fresh, valid access token and gains full access to the Casdoor-protected application on behalf of the token subject.
Confidential data accessible to the impersonated user, such as stored session credentials, user profile records, and connected application data, is readable by the attacker.
The attacker can modify or delete resources within the impersonated user's permissions, including user account settings and linked identity provider configurations.
The attacker can sustain access indefinitely by repeatedly exchanging tokens, making administrative session termination ineffective for as long as the vulnerability is unpatched.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-9097 at this time, HarborGuard continuously monitors the advisory and will surface a patched-image rebuild the moment Casdoor publishes a corrective release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically at that point, with no manual intervention needed. In the interim, compensating controls worth considering include restricting network access to the Casdoor token exchange endpoint via Kubernetes NetworkPolicy or an API gateway allowlist, enabling egress filtering to limit what Casdoor instances can reach if compromised, and auditing current JWT issuance to identify and contain tokens that should be considered compromised. HarborGuard will re-evaluate affected image status on every ingest cycle and update findings as the upstream advisory evolves.

See how HarborGuard automates this

Affected packages

Casdoor / Casdoor
≤ 2.362.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

kb.cert.org

Metrics

Get notified