CVE-2026-9092
May 28, 2026, 6 p.m.
None
No Score
Description
Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Casdoor |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | casdoor | casdoor | <2.362.0 | / | / | / | / | / | / | / |
References
Tags
Timeline
Published: May 28, 2026, 5:16 p.m.
Last Modified: May 28, 2026, 6 p.m.
Last Modified: May 28, 2026, 6 p.m.
Status : Deferred
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.