Casdoor SSO Auth Bypass (CVE-2026-9090 to 9098): No Patch Yet, Here Is How to Lock It Down Now
If your organization self-hosts Casdoor as its SSO login server, you are affected: CERT/CC disclosed nine authentication-bypass flaws (CVE-2026-9090 to 9098, VU#780781) in v2.362.0 and earlier that let an attacker log in as any user or admin. There is still no patch as of June 22, 2026, so the fix is operational: restrict the IdPs Casdoor accepts to trusted ones and audit your accounts now.
Table of contents
If your organization self-hosts Casdoor as its SSO login server, you are affected: CERT/CC disclosed nine authentication-bypass flaws (CVE-2026-9090 to 9098, VU#780781) in v2.362.0 and earlier that let an attacker log in as any user or admin. There is still no patch as of June 22, 2026, so the fix is operational: restrict the IdPs Casdoor accepts to trusted ones and audit your accounts now.
If your organization self-hosts Casdoor as its single sign-on (SSO) login server, you are affected, and there is no patch to install yet. The U.S. CERT/CC disclosed nine authentication-bypass flaws (VU#780781, CVE-2026-9090 to CVE-2026-9098) in version 2.362.0 and earlier that let an attacker log in as any account, administrators included, by faking who they are. Because no fix exists, the single most important thing to do today is to restrict the identity providers (IdPs) Casdoor accepts to ones you trust and audit your accounts — we walk through the full mitigation steps below.
To be clear up front: this is about the self-hosted Casdoor identity server specifically, not SSO logins in general. If you are not running Casdoor on your own servers, nothing here applies to you. If you are, read on. The disclosure was published on May 28, 2026 (in Japan tracked as JVNVU#95478525). CERT/CC notified the Casdoor team on March 26, 2026 but could not reach them, so this went out as an uncoordinated disclosure with no patch.
Casdoor is a single sign-on platform that lets one identity log in to many apps at once. SSO means that instead of typing a separate password for each tool — company email, chat, HR systems, expense reports — you prove who you are once at the gate and then reach every downstream app. It is developed by the community around the access-control library Casbin and is widely self-hosted. Nine holes that let someone slip past identity checks were found at once in the heart of that login layer.
All nine relate to authentication and access management, and CERT/CC assigned them CVE-2026-9090 through CVE-2026-9098. Neither the CERT/CC note nor JVN lists a CVSS score (the common 0-10 severity metric). However, the U.S. National Vulnerability Database NVD shows a supplemental CISA-ADP score of 9.1 (Critical) for CVE-2026-9090, while NVD's own assessment is still pending. The good news: as of June 22, 2026 there are still no confirmed attacks in the wild and the flaws are not on CISA's exploited-vulnerability list, so operators who act now have a real window to get ahead of it.
What Casdoor Is
Casdoor is a central identity management tool that handles login, identity verification, and permission control together. It supports a wide range of authentication standards such as OAuth 2.0, OIDC, SAML, and LDAP, consolidating the login gateways of internal systems, SaaS, and in-house apps into one place. Its GitHub repository has gathered about 12,000 stars and is actively developed by the Casbin community. It has been chosen by organizations that want to self-host rather than pay for managed cloud identity platforms such as Auth0 or Okta.
Most of the vulnerabilities here cluster in the handling of one of the standards Casdoor supports, SAML. SAML is a scheme where an external identity service (an IdP, or Identity Provider) issues a signed certificate (an assertion) saying "this person is who they claim to be," and the receiving app (an SP, or Service Provider) grants login based on it. Casdoor can act as both the receiver (SP) and the issuer (IdP). Safety depends on strictly checking whether a received certificate is genuine, addressed to you, within its valid time, and not reused. Gaps existed at each of those checking stages.
Who Wants This Bug, and What Do They Walk Off With
What makes these nine frightening is that breaking through the single gate lets you into every downstream app as a legitimate user. Some of these holes work simply by supplying a certificate you forged or replaying a stolen response, and you can impersonate even an administrator. The people coming for it are intruders who slip past identity checks from outside, former employees whose accounts were never deleted after they left, insiders posing as a colleague, and third parties who hijacked a partner's IdP. What they get is employees' names and internal email, the appraisals and pay records in HR and payroll systems, the partner directory in the customer management system, and other administrator accounts themselves. The instant a forged certificate is accepted, the CEO's ID or the accounting team's ID alike can be freely impersonated by the attacker.
The damage does not stop at that one app. Posing as an administrator, the attacker can pivot across the downstream SaaS, pulling every employee's personal data out of HR and the partner directory out of customer management. From there, a real chain can unfold: selling that data as lists on the dark web, fooling accounting with wire-transfer emails posing as an executive, and using the stolen employee data as a foothold to break further into partners and subsidiaries. A "legitimate employee badge" handed out once is hard to tell apart from normal access in the logs, which is the troubling part.
Responsibility for this chain comes back to the company running Casdoor and the SaaS providers behind it. If personal data leaks, they must notify the individuals and report to Japan's Personal Information Protection Commission, and face compensation to partners and apologies to users. What is lost is not only the leaked data but the very trust of being "a company you can safely hand your login to." With no fix released, whether operators can act now directly determines safety.
What the Nine Vulnerabilities Are (CVE by CVE)
All nine are about slipping past identity checks, impersonating other people or organizations, or having access that should have been revoked still go through. Here is each one. The CVE numbers can be checked on the individual NVD pages (9090 through 9098).
CVE-2026-9090: SAML signature validation bypass via a forged certificate
When validating a received SAML response, Casdoor verified the signature using the certificate embedded in the incoming response itself rather than the pre-configured "trusted IdP certificate." An attacker can sign forged identity data with their own certificate, include it in the response, and pass validation. This is the most foundational of the nine; NVD shows a supplemental CISA score of 9.1 (Critical).
CVE-2026-9091: Skipping multi-factor authentication via social login
The flow that binds a "social login" (logging in with an external account such as Google or GitHub) to an existing account (controllers/auth.go) is flawed and lets the otherwise-mandatory multi-factor authentication (MFA, a second check on top of the password, such as a code on your phone) be skipped. Even with MFA enforced, this path can bypass it.
CVE-2026-9092: Account takeover via an unverified email
The user-binding logic (getExistUserByBindingRule) links to an existing user by email address alone, without checking whether that email is verified as the person's own (email_verified). An attacker can take over an account merely by claiming the victim's email address.
CVE-2026-9093: Not validating the SAML audience (AudienceRestriction)
A SAML certificate carries an AudienceRestriction element stating "who this is intended for." Casdoor does not validate it or warn on a mismatch, so it may accept a certificate originally issued for a different service. This enables an attack that reuses a certificate legitimately issued for one service to log in to another.
CVE-2026-9094: Privilege escalation via cross-organization token exchange
When validating the pass issued after login (a JWT, a signed access token), Casdoor did not check whether the user belongs to the same organization as the target app. This makes "cross-organization privilege escalation" possible, using one organization's token against another organization's app to gain permissions one should not have.
CVE-2026-9095: Replaying a stolen login response (SAML replay)
When mapping a SAML certificate to a session, there is no replay (reuse) protection. With no recording of assertion IDs and no OneTimeUse enforcement, an attacker who once captured a legitimate login response can simply resend it later and log in again.
CVE-2026-9096: Ignoring the validity window (NotBefore / NotOnOrAfter)
A SAML certificate carries NotBefore and NotOnOrAfter time bounds stating "valid from when to when." Casdoor computed this time check but silently discarded the result before issuing a session. As a result, an expired certificate still passes login. Combined with the replay flaw (CVE-2026-9095), the impact widens further.
CVE-2026-9097: Tokens that should have been revoked still go through
Casdoor never queried its management Token table to check whether a pass (token) had been invalidated (revoked). So even when an administrator believes they have invalidated a token, it actually still works. This is an operational dead end: you cannot stop a token once you learn it has leaked.
CVE-2026-9098: Accepting an unsolicited login response
The SAML receiving endpoint (/api/acs) accepts any well-formed SAML response without correlating it to a login request (AuthnRequest) Casdoor issued beforehand. An attacker who has taken over a registered upstream IdP can simply send an unsolicited response or replay a captured legitimate one to establish persistent unauthorized access.
Vulnerability Summary
| Item | Detail |
|---|---|
| CVE IDs | CVE-2026-9090 - CVE-2026-9098 (9 total) |
| Tracking IDs | CERT/CC VU#780781 JVNVU#95478525 |
| CVSS | Not listed by CERT/CC or JVN (NVD CISA-ADP shows 9.1 Critical for 9090 only) |
| Class | Auth bypass, impersonation, privilege escalation (CWE-287) |
| Affected versions | 2.362.0 and earlier |
| Fixed version | None (as of June 22, 2026) latest release v3.98.0 does not reference a fix |
| Reporters | Zixu (Jason) Zhou David Lie / Ilya Grishchenko Xiangyu Guo (Univ. of Toronto) |
| Notified / Published | Notified Mar 26, 2026 Published May 28, 2026 (uncoordinated) |
| Exploitation | Not in U.S. CISA KEV (no confirmed attacks as of June 22, 2026) |
Note that Casdoor version numbers grow with the commit count in a scheme like "v1.500.0," so the larger the number, the newer the release. The latest GitHub release at the time of writing is v3.98.0 (June 20, 2026), a newer line than the affected 2.362.0. Casdoor has kept shipping releases since the disclosure, but none of their release notes reference these CVEs or a fix for the SAML and token-handling flaws, so there is still no version you can point to as "this one closes the nine." CERT/CC continues to state "no fix available" and shows the vendor status as "Unknown," and the U.S. CISA list of actively exploited flaws (KEV, Known Exploited Vulnerabilities) does not list them as of June 22, 2026, given this is a new, uncoordinated disclosure.
Is Your Environment at Risk? (Impact Matrix)
The risk of the nine varies with whether you use SAML and how social login is configured. Check your Casdoor's state in the table below. Note that the token revocation bypass (CVE-2026-9097) and cross-organization escalation (CVE-2026-9094) can affect you even without SAML, so no configuration is entirely "unrelated."
| Version | SAML SSO | Social login | Risk and action |
|---|---|---|---|
| 2.362.0 or earlier | In use | In use | Maximum risk. All 9 may apply Disable SAML and mitigate now |
| 2.362.0 or earlier | In use | Not used | High risk. 7 SAML flaws apply Limit to trusted IdPs + monitor |
| 2.362.0 or earlier | Not used | In use | Medium-high. MFA + email takeover Watch the 3 token-related flaws |
| 2.362.0 or earlier | Not used | Not used | Token revocation / cross-org apply Isolate high-privilege accounts |
| 3.x (incl. v3.98.0) | Either | Either | No fix confirmed in 3.x Track GitHub, keep mitigating |
What to Do Right Now (Interim Mitigations)
Since no fixed version closing these has been released, operator-side mitigation is the top priority for now. Here are CERT/CC's recommendations plus practical measures. If you self-host Casdoor, consider the following.
1. Consider temporarily disabling SAML SSO. Seven of the nine involve SAML processing. Unless it is operationally essential, temporarily stopping SAML-based login until a fix is in sight is the single most effective move. If you cannot stop it, enforce step 2 below.
2. Limit to trusted IdPs only (allowlist). This is CERT/CC's top recommendation. Restrict the identity services (IdPs) Casdoor accepts to only the trusted ones you manage. Avoiding IdPs of unknown provenance or settings that anyone can add narrows the path for injecting forged certificates.
3. Isolate high-privilege accounts and add downstream layers. For critical accounts such as administrators, do not rely on Casdoor login alone; require independent multi-factor authentication (MFA) at the downstream apps as well. The idea is to keep a last line of defense even if Casdoor's gate is breached.
4. Review your token revocation practices. Because of CVE-2026-9097, tokens you believe revoked may still work. Avoid issuing long-lived tokens, set short expirations, and promptly delete accounts of leavers and transfers. If a leak is suspected, go as far as reissuing tokens (rotating keys).
5. Monitor SAML and token logs for anomalies. This is also a CERT/CC recommendation. Add to your watch points: SAML responses from unfamiliar IdPs, responses that arrive unsolicited (a sign of CVE-2026-9098), reuse of the same certificate (a sign of replay), and unnatural cross-organization token use. Pay special attention to unexpected access to /api/acs.
6. Track the official fix and apply it immediately. Keep checking the releases page and security advisories, and apply a fixed version or official GHSA promptly once published.
To an attacker, the heart of login is "a master key that opens every room in the building once you get one." Unauthenticated bypass of identity and front-office systems has been a running theme in 2026: the OTRS helpdesk had a similar no-login intrusion flaw, covered in our CVE-2026-48188 write-up. And if you want to quickly grasp the flaws hiding in the open-source software you self-host, see also the OSS supply-chain scanner. Organizations running their own SSO platform should take this as a chance to review the range of IdPs they accept and to take stock of their accounts.
Sources
- â–¸CERT/CC - VU#780781: Casdoor contains multiple authentication bypass and access management vulnerabilities (May 28, 2026)
- â–¸JVN - JVNVU#95478525 Multiple vulnerabilities in Casdoor
- â–¸NVD - CVE-2026-9090 (SAML signature validation bypass)
- â–¸NVD - CVE-2026-9091 (MFA bypass)
- â–¸NVD - CVE-2026-9092 (account takeover via unverified email)
- â–¸NVD - CVE-2026-9093 (AudienceRestriction not validated)
- â–¸NVD - CVE-2026-9094 (cross-organization token exchange)
- â–¸NVD - CVE-2026-9095 (SAML replay)
- â–¸NVD - CVE-2026-9096 (time-bound bypass)
- â–¸NVD - CVE-2026-9097 (token revocation bypass)
- â–¸NVD - CVE-2026-9098 (unsolicited response accepted)
- â–¸Casdoor official repository (GitHub)
- â–¸Casdoor Releases (latest version)
- â–¸Casdoor official docs - How SAML works
- â–¸CISA - Known Exploited Vulnerabilities Catalog (not listed)

Makoto Horikawa
Backend Engineer / AWS / Django