CVE-2026-9096
May 28, 2026, 6 p.m.
None
No Score
Description
Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Casdoor |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | casdoor | casdoor | 2.362.0 | / | / | / | / | / | / | / |
| a | casdoor | casdoor | / | / | / | / | / | / | / | / |
References
Tags
Timeline
Published: May 28, 2026, 5:16 p.m.
Last Modified: May 28, 2026, 6 p.m.
Last Modified: May 28, 2026, 6 p.m.
Status : Deferred
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.