How is CVE-2026-9098 exploited?

Network reachability (required): The attacker must reach the Casdoor SAML callback endpoint (/api/acs) over the network; no local access or physical proximity is needed. Authentication (not-required): No account or credentials on the Casdoor instance are required; the attacker only needs to be able to send a well-formed SAMLResponse to the public endpoint. Victim interaction (not-required): No user action is needed; the attacker sends the unsolicited or replayed SAML response directly to the handler without involving any victim. Attack complexity (info): Exploit conditions are straightforward and reliable: the attacker simply needs a registered upstream IdP or a captured SAML response, with no race conditions or special memory layout required.

What is the impact of CVE-2026-9098?

Reads session tokens issued by Casdoor and any data accessible to the hijacked identity, including user profiles and directory information managed by the identity server. Modifies account settings, role assignments, or linked application permissions for the session identity, depending on that identity's privilege level within Casdoor. Establishes persistent unauthorized access by retaining the issued session, allowing repeated access without re-exploiting the flaw until the session is explicitly revoked. Enables lateral movement into any application or service that trusts Casdoor as its identity provider, since the issued session carries the full claims of the impersonated identity.

Back to search

CRITICALCVE-2026-9098Published 2026-05-28Modified 2026-06-02CNA certcc

CVE-2026-9098: CVE-2026-9098

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in Casdoor, an open-source identity and access management server, affecting versions 2.362.0 and earlier. The SAML callback handler accepts any well-formed SAML response sent over the network without verifying it was requested by Casdoor, and it also continues processing responses tied to identity providers that have since been disabled or deleted. An attacker who controls a registered upstream identity provider, or who has captured a legitimate SAML response, can send unsolicited or replayed responses and receive a valid Casdoor session, gaining persistent unauthorized access without any credentials. HarborGuard is tracking the advisory for patch availability and will make a patched rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-9098 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Casdoor. No manual feed configuration is required for coverage to apply.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.1 (Critical), weighted further by each customer organization's compliance policy to determine priority and routing. Findings are dispatched to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Casdoor SAML callback endpoint (/api/acs) over the network; no local access or physical proximity is needed.
AuthenticationNot required
No account or credentials on the Casdoor instance are required; the attacker only needs to be able to send a well-formed SAMLResponse to the public endpoint.
Victim interactionNot required
No user action is needed; the attacker sends the unsolicited or replayed SAML response directly to the handler without involving any victim.
Attack complexityDetail
Exploit conditions are straightforward and reliable: the attacker simply needs a registered upstream IdP or a captured SAML response, with no race conditions or special memory layout required.

Blast Radius

Reads session tokens issued by Casdoor and any data accessible to the hijacked identity, including user profiles and directory information managed by the identity server.
Modifies account settings, role assignments, or linked application permissions for the session identity, depending on that identity's privilege level within Casdoor.
Establishes persistent unauthorized access by retaining the issued session, allowing repeated access without re-exploiting the flaw until the session is explicitly revoked.
Enables lateral movement into any application or service that trusts Casdoor as its identity provider, since the issued session carries the full claims of the impersonated identity.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch for CVE-2026-9098 exists as of the publication date, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads automatically. While waiting for an upstream fix, compensating controls worth evaluating include restricting network access to the /api/acs endpoint via Kubernetes NetworkPolicy or an ingress-layer allowlist so only trusted IdP source addresses can POST to it; auditing and removing any registered upstream IdPs that are no longer in active use to reduce the pool of parties that can send unsolicited responses; and enabling short session lifetimes and session-revocation hooks in Casdoor configuration to limit the window of persistent access if the vulnerability is exploited. HarborGuard will surface the fix-version match and make the rebuild available across all affected environments as soon as the upstream advisory is updated.

See how HarborGuard automates this

Affected packages

Casdoor / Casdoor
≤ 2.362.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

kb.cert.org

Metrics

Get notified