Casdoor SSO Login Platform: 9 Auth-Bypass Flaws, CVE-2026-9090, No Fix
Casdoor, the open-source SSO login platform, has 9 flaws letting attackers impersonate any user or admin. CERT/CC published May 28; v2.362.0 affected, no fix.
Makoto Horikawa
Backend Engineer / AWS / Django
Casdoor, the open-source SSO login platform, has 9 flaws letting attackers impersonate any user or admin. CERT/CC published May 28; v2.362.0 affected, no fix.
On May 28, 2026, the U.S. CERT/CC published nine vulnerabilities in the open-source login platform Casdoor that lead to authentication bypass and account takeover (VU#780781; in Japan, JVNVU#95478525). The affected releases are version 2.362.0 and earlier, and chaining several of the nine flaws lets an attacker log in as any account, including administrators, by impersonating a legitimate user. What makes this worse is that no fixed version closing these holes has been released yet. CERT/CC notified the Casdoor team on March 26, 2026, but could not reach them (uncoordinated disclosure), and no patch was available at publication.
Casdoor is a single sign-on (SSO) platform that lets one identity log in to many apps and services at once. SSO means that instead of typing a separate password for each tool, such as company email, chat, HR systems, and expense reports, you prove who you are just once at the gate and then reach every downstream app. Casdoor is developed by the community around the access-control library Casbin and is widely self-hosted on companies' own servers or clouds. Nine holes that let someone slip past identity checks were found at once in the heart of that login layer.
All nine relate to authentication and access management, and CERT/CC assigned them CVE-2026-9090 through CVE-2026-9098. Neither the CERT/CC note nor JVN lists a CVSS score (the common 0-10 severity metric). However, the U.S. National Vulnerability Database NVD shows a supplemental CISA-ADP score of 9.1 (Critical) for CVE-2026-9090, while NVD's own assessment is still pending.
What Casdoor Is
Casdoor is a central identity management tool that handles login, identity verification, and permission control together. It supports a wide range of authentication standards such as OAuth 2.0, OIDC, SAML, and LDAP, consolidating the login gateways of internal systems, SaaS, and in-house apps into one place. Its GitHub repository has gathered about 12,000 stars and is actively developed by the Casbin community. It has been chosen by organizations that want to self-host rather than pay for managed cloud identity platforms such as Auth0 or Okta.
Most of the vulnerabilities here cluster in the handling of one of the standards Casdoor supports, SAML. SAML is a scheme where an external identity service (an IdP, or Identity Provider) issues a signed certificate (an assertion) saying "this person is who they claim to be," and the receiving app (an SP, or Service Provider) grants login based on it. Casdoor can act as both the receiver (SP) and the issuer (IdP). Safety depends on strictly checking whether a received certificate is genuine, addressed to you, within its valid time, and not reused. Gaps existed at each of those checking stages.
Who Wants This Bug, and What Do They Walk Off With
What makes these nine frightening is that breaking through the single gate lets you into every downstream app as a legitimate user. Some of these holes work simply by supplying a certificate you forged or replaying a stolen response, and you can impersonate even an administrator. The people coming for it are intruders who slip past identity checks from outside, former employees whose accounts were never deleted after they left, insiders posing as a colleague, and third parties who hijacked a partner's IdP. What they get is employees' names and internal email, the appraisals and pay records in HR and payroll systems, the partner directory in the customer management system, and other administrator accounts themselves. The instant a forged certificate is accepted, the CEO's ID or the accounting team's ID alike can be freely impersonated by the attacker.
The damage does not stop at that one app. Posing as an administrator, the attacker can pivot across the downstream SaaS, pulling every employee's personal data out of HR and the partner directory out of customer management. From there, a real chain can unfold: selling that data as lists on the dark web, fooling accounting with wire-transfer emails posing as an executive, and using the stolen employee data as a foothold to break further into partners and subsidiaries. A "legitimate employee badge" handed out once is hard to tell apart from normal access in the logs, which is the troubling part.
Responsibility for this chain comes back to the company running Casdoor and the SaaS providers behind it. If personal data leaks, they must notify the individuals and report to Japan's Personal Information Protection Commission, and face compensation to partners and apologies to users. What is lost is not only the leaked data but the very trust of being "a company you can safely hand your login to." With no fix released, whether operators can act now directly determines safety.
What the Nine Vulnerabilities Are (CVE by CVE)
All nine are about slipping past identity checks, impersonating other people or organizations, or having access that should have been revoked still go through. Here is each one. The CVE numbers can be checked on the individual NVD pages (9090 through 9098).
CVE-2026-9090: SAML signature validation bypass via a forged certificate
When validating a received SAML response, Casdoor verified the signature using the certificate embedded in the incoming response itself rather than the pre-configured "trusted IdP certificate." An attacker can sign forged identity data with their own certificate, include it in the response, and pass validation. This is the most foundational of the nine; NVD shows a supplemental CISA score of 9.1 (Critical).
CVE-2026-9091: Skipping multi-factor authentication via social login
The flow that binds a "social login" (logging in with an external account such as Google or GitHub) to an existing account (controllers/auth.go) is flawed and lets the otherwise-mandatory multi-factor authentication (MFA, a second check on top of the password, such as a code on your phone) be skipped. Even with MFA enforced, this path can bypass it.
CVE-2026-9092: Account takeover via an unverified email
The user-binding logic (getExistUserByBindingRule) links to an existing user by email address alone, without checking whether that email is verified as the person's own (email_verified). An attacker can take over an account merely by claiming the victim's email address.
CVE-2026-9093: Not validating the SAML audience (AudienceRestriction)
A SAML certificate carries an AudienceRestriction element stating "who this is intended for." Casdoor does not validate it or warn on a mismatch, so it may accept a certificate originally issued for a different service. This enables an attack that reuses a certificate legitimately issued for one service to log in to another.
CVE-2026-9094: Privilege escalation via cross-organization token exchange
When validating the pass issued after login (a JWT, a signed access token), Casdoor did not check whether the user belongs to the same organization as the target app. This makes "cross-organization privilege escalation" possible, using one organization's token against another organization's app to gain permissions one should not have.
CVE-2026-9095: Replaying a stolen login response (SAML replay)
When mapping a SAML certificate to a session, there is no replay (reuse) protection. With no recording of assertion IDs and no OneTimeUse enforcement, an attacker who once captured a legitimate login response can simply resend it later and log in again.
CVE-2026-9096: Ignoring the validity window (NotBefore / NotOnOrAfter)
A SAML certificate carries NotBefore and NotOnOrAfter time bounds stating "valid from when to when." Casdoor computed this time check but silently discarded the result before issuing a session. As a result, an expired certificate still passes login. Combined with the replay flaw (CVE-2026-9095), the impact widens further.
CVE-2026-9097: Tokens that should have been revoked still go through
Casdoor never queried its management Token table to check whether a pass (token) had been invalidated (revoked). So even when an administrator believes they have invalidated a token, it actually still works. This is an operational dead end: you cannot stop a token once you learn it has leaked.
CVE-2026-9098: Accepting an unsolicited login response
The SAML receiving endpoint (/api/acs) accepts any well-formed SAML response without correlating it to a login request (AuthnRequest) Casdoor issued beforehand. An attacker who has taken over a registered upstream IdP can simply send an unsolicited response or replay a captured legitimate one to establish persistent unauthorized access.
Vulnerability Summary
| Item | Detail |
|---|---|
| CVE IDs | CVE-2026-9090 - CVE-2026-9098 (9 total) |
| Tracking IDs | CERT/CC VU#780781 JVNVU#95478525 |
| CVSS | Not listed by CERT/CC or JVN (NVD CISA-ADP shows 9.1 Critical for 9090 only) |
| Class | Auth bypass, impersonation, privilege escalation (CWE-287) |
| Affected versions | 2.362.0 and earlier |
| Fixed version | None (as of June 1, 2026) |
| Reporters | Zixu (Jason) Zhou David Lie / Ilya Grishchenko Xiangyu Guo (Univ. of Toronto) |
| Notified / Published | Notified Mar 26, 2026 Published May 28, 2026 (uncoordinated) |
| Exploitation | Not in U.S. CISA KEV (no confirmed attacks) |
Note that Casdoor version numbers grow with the commit count in a scheme like "v1.500.0," so the larger the number, the newer the release. The latest GitHub release at the time of writing is v3.75.0 (May 31, 2026), a newer line than the affected 2.362.0. However, CERT/CC explicitly states "no fix available" at publication, and there is no confirmation that the latest release reliably closes these nine. The U.S. CISA list of actively exploited flaws (KEV, Known Exploited Vulnerabilities) also does not list them as of June 1, 2026, given this is a new, uncoordinated disclosure.
Is Your Environment at Risk? (Impact Matrix)
The risk of the nine varies with whether you use SAML and how social login is configured. Check your Casdoor's state in the table below. Note that the token revocation bypass (CVE-2026-9097) and cross-organization escalation (CVE-2026-9094) can affect you even without SAML, so no configuration is entirely "unrelated."
| Version | SAML SSO | Social login | Risk and action |
|---|---|---|---|
| 2.362.0 or earlier | In use | In use | Maximum risk. All 9 may apply Disable SAML and mitigate now |
| 2.362.0 or earlier | In use | Not used | High risk. 7 SAML flaws apply Limit to trusted IdPs + monitor |
| 2.362.0 or earlier | Not used | In use | Medium-high. MFA + email takeover Watch the 3 token-related flaws |
| 2.362.0 or earlier | Not used | Not used | Token revocation / cross-org apply Isolate high-privilege accounts |
| 3.x (latest) | Either | Either | Fix unconfirmed Track GitHub, keep mitigating |
What to Do Right Now (Interim Mitigations)
Since no fixed version closing these has been released, operator-side mitigation is the top priority for now. Here are CERT/CC's recommendations plus practical measures. If you self-host Casdoor, consider the following.
1. Consider temporarily disabling SAML SSO. Seven of the nine involve SAML processing. Unless it is operationally essential, temporarily stopping SAML-based login until a fix is in sight is the single most effective move. If you cannot stop it, enforce step 2 below.
2. Limit to trusted IdPs only (allowlist). This is CERT/CC's top recommendation. Restrict the identity services (IdPs) Casdoor accepts to only the trusted ones you manage. Avoiding IdPs of unknown provenance or settings that anyone can add narrows the path for injecting forged certificates.
3. Isolate high-privilege accounts and add downstream layers. For critical accounts such as administrators, do not rely on Casdoor login alone; require independent multi-factor authentication (MFA) at the downstream apps as well. The idea is to keep a last line of defense even if Casdoor's gate is breached.
4. Review your token revocation practices. Because of CVE-2026-9097, tokens you believe revoked may still work. Avoid issuing long-lived tokens, set short expirations, and promptly delete accounts of leavers and transfers. If a leak is suspected, go as far as reissuing tokens (rotating keys).
5. Monitor SAML and token logs for anomalies. This is also a CERT/CC recommendation. Add to your watch points: SAML responses from unfamiliar IdPs, responses that arrive unsolicited (a sign of CVE-2026-9098), reuse of the same certificate (a sign of replay), and unnatural cross-organization token use. Pay special attention to unexpected access to /api/acs.
6. Track the official fix and apply it immediately. Keep checking the releases page and security advisories, and apply a fixed version or official GHSA promptly once published.
To an attacker, the heart of login is "a master key that opens every room in the building once you get one." Beyond Casdoor, if you want to quickly grasp the flaws hiding in the open-source software you self-host, see also the OSS supply-chain scanner. Organizations running their own SSO platform should take this as a chance to review the range of IdPs they accept and to take stock of their accounts.
Sources
- ▸CERT/CC - VU#780781: Casdoor contains multiple authentication bypass and access management vulnerabilities (May 28, 2026)
- ▸JVN - JVNVU#95478525 Multiple vulnerabilities in Casdoor
- ▸NVD - CVE-2026-9090 (SAML signature validation bypass)
- ▸NVD - CVE-2026-9091 (MFA bypass)
- ▸NVD - CVE-2026-9092 (account takeover via unverified email)
- ▸NVD - CVE-2026-9093 (AudienceRestriction not validated)
- ▸NVD - CVE-2026-9094 (cross-organization token exchange)
- ▸NVD - CVE-2026-9095 (SAML replay)
- ▸NVD - CVE-2026-9096 (time-bound bypass)
- ▸NVD - CVE-2026-9097 (token revocation bypass)
- ▸NVD - CVE-2026-9098 (unsolicited response accepted)
- ▸Casdoor official repository (GitHub)
- ▸Casdoor Releases (latest version)
- ▸Casdoor official docs - How SAML works
- ▸CISA - Known Exploited Vulnerabilities Catalog (not listed)