CVE-2026-9098

CVE-2026-9098

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.

N/A

N/A

Casdoor 安全漏洞

Casdoor是Casdoor开源的一个支持多种身份验证和授权协议的开源平台。 Casdoor 2.362.0及之前版本存在安全漏洞，该漏洞源于controllers/auth.go中的SAML回调处理程序接受发送到/api/acs的任何格式良好的SAMLResponse，而未验证其是否对应于Casdoor先前发出的AuthnRequest，此外，如果管理员在SAML流程开始后禁用或删除身份提供商，处理程序仍使用在请求开始时加载的提供商快照处理响应，控制已注册上游身份提供商的攻击者可以发送未经请求的SAM

N/A

N/A