CVE-2026-9098

Name: CVE-2026-9098 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2026-9098

CRITICAL

CVSS v3.1: 9.1 · EPSS: 0.0001 (1.2 percentile)

NetworkNo privilegesNo user interaction

Source data as of: 2026-06-03 05:00:11 UTC

At a glance

Severity: CRITICAL
CVSS: 9.1 v3.1 · NVD
EPSS: 0.0001 (1.2 percentile) · FIRST.org
CISA KEV: No
Attack conditions (CVSS vector): NetworkNo privilegesNo user interaction · Source: NVD Vector
Published: 2026-05-28 · Modified: 2026-06-02
References: Jump to references (1)

CVSS / EPSS / KEV

CVSS v3.1 9.1 / 10 CRITICAL Source: NVD

EPSS 0.0001 1.2 percentile Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.

Record details

CVE ID: CVE-2026-9098
CVSS (v3.1): 9.1 (CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Exploitability subscore: 3.9
Impact subscore: 5.2
EPSS: 0.0001 (1.2 percentile) — 2026-06-03
CISA KEV: No
Affected configurations (CPE): 0
Published: 2026-05-28
Modified: 2026-06-02
Status: Deferred

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

Reference https://kb.cert.org/vuls/id/780781

← Back to all records