CVE-2026-9093
May 28, 2026, 6 p.m.
None
No Score
Description
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Casdoor |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | casdoor | casdoor | <2.362.0 | / | / | / | / | / | / | / |
References
Tags
Timeline
Published: May 28, 2026, 5:16 p.m.
Last Modified: May 28, 2026, 6 p.m.
Last Modified: May 28, 2026, 6 p.m.
Status : Deferred
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.