CVE-2026-9091: Casdoor MFA Bypass in Social Login Binding
Casdoor is an open-source identity and access management platform. A logic flaw in its social login binding feature allows attackers to bypass multi-factor authentication (MFA) requirements. When users authenticate through the social login binding flow, the application fails to check whether MFA is enabled, granting them access without completing the second authentication factor. This affects Casdoor versions 2.362.0 and earlier.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- —
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the social-login binding flow within controllers/auth.go. The binding-rule code path invokes HandleLoggedIn directly without first calling checkMfaEnable, the function responsible for enforcing MFA policies. This creates a logic gap where users bypass MFA checks entirely during the binding authentication flow. The flaw is specific to the binding code path and does not affect standard authentication routes that properly enforce MFA validation.
Business impact
For organizations using Casdoor as their identity provider, this vulnerability undermines MFA-based security posture. An attacker who gains a user's primary credentials can bypass MFA by using the social login binding flow, compromising account security even when MFA policies are in place. This is particularly concerning for regulated environments where MFA is a mandatory control. The risk extends to any downstream systems relying on Casdoor for authentication and authorization.
Affected systems
Casdoor versions 2.362.0 and earlier are vulnerable. This includes all deployments running these versions, regardless of whether MFA is explicitly configured. The vulnerability affects the social login binding feature specifically; not all authentication methods are impacted equally.
Exploitability
Exploitation requires network access to the Casdoor instance and knowledge of a valid user credential. No authentication is required to trigger the binding flow itself, and no complex interaction is needed—the flaw is automatically triggered when social login binding is used. The CVSS score of 5.3 (Medium) reflects low confidentiality impact and network-accessible attack surface, though the logic flaw is straightforward to exploit once the code path is identified.
Remediation
Organizations should upgrade Casdoor to a version later than 2.362.0 as soon as a patched release becomes available. Until patching is feasible, consider temporarily disabling social login binding or implementing network-level restrictions to limit access to the Casdoor application. Verify the patched version's release notes to confirm that checkMfaEnable is properly invoked in the social login binding code path.
Patch guidance
Monitor the Casdoor project repository and release channels for version 2.362.1 or later. Apply patches promptly to production Casdoor deployments. Test patches in a staging environment first to ensure no disruption to social login workflows. After patching, verify that MFA is properly enforced for all authentication paths by conducting a manual test of the social login binding flow with MFA enabled.
Detection guidance
Log authentication events and identify instances where users authenticate via the social login binding flow without MFA completion. If your Casdoor logs track the code path or function calls, look for HandleLoggedIn invocations that bypass checkMfaEnable. Monitor for successful authentications where the MFA flag is unexpectedly absent or disabled. Correlate social login binding activities with user account compromise incidents to identify potential exploitation.
Why prioritize this
This vulnerability merits prompt attention because it directly undermines a critical security control—multi-factor authentication. Unlike vulnerabilities that require extensive prerequisites, this flaw is trivially exploitable and provides a direct path to account takeover for any user whose primary credential is compromised. The medium CVSS score should not minimize the risk in environments where MFA compliance is mandated by policy or regulation.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects a network-accessible attack vector with low complexity and no privileges required. Confidentiality impact is rated low because the attacker gains unauthorized access but does not directly exfiltrate data—the data exposure depends on what the compromised account can access downstream. Integrity and availability impacts are not factored into this score, though an attacker with access may modify data or disrupt services depending on the account's permissions.
Frequently asked questions
Does this vulnerability affect all Casdoor authentication methods?
No. The flaw is specific to the social login binding code path. Standard authentication routes that properly invoke checkMfaEnable are not affected. However, if your deployment relies heavily on social login binding, the risk surface is larger.
Can this be exploited without knowing a user's password?
The social login binding flow still requires a valid user credential to authenticate. An attacker cannot log in to an arbitrary account without obtaining that credential first. The vulnerability bypasses MFA once a primary credential is compromised, not the primary authentication itself.
What should I do if I cannot patch immediately?
Disable the social login binding feature if operationally feasible, or restrict network access to your Casdoor instance to trusted networks only. Implement compensating controls such as IP whitelisting or VPN requirements. Monitor authentication logs closely for suspicious social login binding activity.
Does upgrading Casdoor to a later version automatically enable a fix?
Verify the release notes of any upgraded version to confirm that the binding-rule code path now properly calls checkMfaEnable before accepting login. Do not assume a minor version bump includes this fix; consult the Casdoor security advisories or commit history.
This analysis is based on the published CVE record and vendor advisory information current as of the modification date. Patch availability, version numbers, and remediation timelines should be verified against official Casdoor releases and security channels. No exploit code or proof-of-concept details are provided. Organizations should assess their specific Casdoor configuration and MFA enforcement policies to determine internal risk and prioritization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2019-25716MEDIUMDräger Patient Monitor Denial-of-Service Vulnerability