CVE-2026-9095: Casdoor SAML Replay Attack Allows Authentication Bypass
Casdoor, an open-source identity and access management platform, contains a critical flaw in how it processes SAML single sign-on requests. When a user logs in via SAML, the application accepts and authenticates the SAML assertion without checking whether it has already been used. An attacker who intercepts or obtains a valid SAML assertion—even days or weeks after it was originally issued—can replay it to gain a logged-in session as that user. This bypasses password and multi-factor authentication requirements entirely. The risk is particularly severe if an attacker targets administrator accounts, as they could gain full control of the Casdoor instance.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-294
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Casdoor's SAML Service Provider implementation, specifically in the ParseSamlResponse() function within object/saml_sp.go. The code calls sp.RetrieveAssertionInfo() to extract claims from an incoming SAML assertion and immediately maps the result to an authenticated user session. The SAML SP code path lacks three critical security controls: (1) no assertion ID caching mechanism to track processed assertions, (2) no enforcement of the OneTimeUse condition that SAML allows issuers to set on assertions, and (3) no replay detection or timestamp validation beyond what the identity provider may have included. This maps to CWE-294 (Authentication Using a Trusted Channel When the Channel Cannot be Authenticated), as the application trusts the assertion content without verifying freshness or uniqueness. Affected versions are Casdoor 2.362.0 and earlier.
Business impact
Organizations using Casdoor for federated identity management face unauthorized account takeover risk. An attacker with network access to capture SAML traffic, or with access to Casdoor logs or backups containing assertion data, can impersonate any user indefinitely. For deployments where Casdoor manages administrator or privileged service accounts, this translates to potential full compromise of systems managed through that Casdoor instance. Incident response is complicated because traditional password resets do not invalidate captured assertions; attackers retain access unless assertion-specific defenses are deployed or sessions are forcibly terminated.
Affected systems
Casdoor versions 2.362.0 and earlier are affected. The vulnerability affects all Casdoor deployments using SAML as an authentication method, regardless of the upstream SAML identity provider (e.g., Okta, Entra ID, Keycloak). Environments where Casdoor is integrated into applications or services for SSO are at risk. Self-hosted and on-premises deployments are included; cloud-hosted instances depend on whether the operator has upgraded.
Exploitability
Exploitation requires an attacker to obtain a valid SAML assertion. This can occur through several means: passive network interception in an environment without encrypted SAML transport, compromise of an identity provider, extraction from application logs or database backups, or social engineering of a user to forward their login credentials or session tokens. Once an assertion is captured, no additional technical barriers prevent its replay. The CVSS score of 8.1 (HIGH) reflects high impact (complete authentication bypass for a targeted account) tempered by the requirement to obtain a valid assertion first, which is feasible in many enterprise environments but not trivial for external attackers. Active exploitation is not yet documented in public disclosures, but the attack is straightforward to execute.
Remediation
Upgrade Casdoor to a version that enforces SAML replay protection. Verify with the Casdoor project's security advisories for the first patched version. Pending patching, implement compensating controls: enforce HTTPS/TLS for all SAML traffic to reduce interception risk, restrict SAML assertion lifetime to minutes (typically a configuration in your identity provider), enable detailed logging of SAML assertions and session creation, and monitor for suspicious patterns such as multiple successful logins from the same assertion or logins occurring outside normal business hours. Consider temporarily disabling SAML authentication if you cannot patch and rely on alternative authentication methods.
Patch guidance
Check the Casdoor GitHub repository (github.com/casdoor/casdoor) and security advisories for a release version later than 2.362.0 that addresses assertion replay protection. The fix should include assertion ID caching, OneTimeUse condition validation, and timestamp-based replay detection. Upgrade the Casdoor service, verify the new version is in production, and test SAML login flows to confirm functionality is preserved. After patching, consider rotating or invalidating long-lived SAML assertions if your identity provider allows it.
Detection guidance
In Casdoor logs, search for repeated successful authentications using the same SAML assertion ID or with the same assertion content but separated by unusual time intervals. If your identity provider logs SAML assertion issuance, correlate with Casdoor session creation logs to identify assertions used multiple times or used after their stated expiration. Deploy network-level monitoring to detect SAML assertion patterns consistent with replay (e.g., identical encrypted SAML responses sent to Casdoor). Alert on administrator or privileged account logins that lack corresponding identity provider records or that occur outside normal patterns. Review Casdoor session tables for sessions created by the same principal within short timeframes, which may indicate replay.
Why prioritize this
This vulnerability merits immediate attention for any organization using Casdoor with SAML authentication. The combination of high impact (complete account takeover, potentially of privileged users) and moderate exploitability (requires assertion capture but no advanced techniques) places it in the highest priority tier. Unlike many authentication bypass flaws that require social engineering or zero-days, this can be exploited against any captured assertion with no further interaction. The lack of an active patch at publication means organizations must evaluate their risk posture and defensive layers now.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: (A) Attack Vector Network—the assertion can be replayed over any network path, (B) Attack Complexity High—the attacker must first obtain a valid assertion, which requires interception or provider compromise, (C) Privileges Required None—no special access is needed once the assertion is obtained, (D) User Interaction None—no user action is required to perform the attack, (E) Scope Unchanged—the impact is limited to the Casdoor application and authenticated resources, (F) Confidentiality Impact High—attackers gain access to sensitive data as the authenticated user, (G) Integrity Impact High—attackers can modify data and configuration as that user, (H) Availability Impact High—attackers can delete or disable resources. The score balances the severe impact against the practical requirement to intercept or acquire an assertion.
Frequently asked questions
Can an attacker forge a SAML assertion without capturing one first?
No. This vulnerability requires replaying a genuine assertion issued by a trusted identity provider. An attacker cannot create valid assertions without compromising the identity provider's signing key. The flaw is in Casdoor's failure to detect that an existing, legitimate assertion is being reused.
Does enabling HTTPS prevent this attack?
HTTPS prevents passive interception of SAML in transit, which raises the bar for attackers. However, HTTPS does not prevent replay. An attacker with access to application logs, backups, or memory dumps can still obtain assertion data. Additionally, some SAML transports (form POSTs) may be logged unencrypted by applications or proxies. HTTPS is a best practice but not a complete mitigation for this vulnerability.
If our identity provider enforces a short assertion lifetime, are we protected?
A short lifetime (e.g., 5 minutes) reduces the window for replay but does not eliminate it. An assertion captured just after issuance can still be replayed within minutes before expiration. More importantly, Casdoor is not honoring even short lifetimes due to the absence of timestamp validation in the code path. This becomes a shared responsibility: the identity provider sets the lifetime, but Casdoor must enforce it.
What should we do if we suspect our Casdoor instance has been compromised via SAML replay?
Immediately revoke all active Casdoor sessions and force re-authentication. Review authentication and session logs for anomalies, particularly logins associated with administrator accounts or those occurring outside business hours. Contact your identity provider to audit SAML assertion issuance for the relevant time period. If backups contain SAML assertion data, isolate those backups until you understand the scope of exposure. Implement enhanced monitoring and consider temporarily switching to a different authentication method pending a patch.
This analysis is provided for informational purposes only and should not be construed as professional security advice. Organizations should verify all technical details, patch availability, and version numbers directly with the Casdoor project and their identity provider before making remediation decisions. No exploit code or detailed attack methodology is provided; responsible disclosure principles apply. Testing any mitigations or detection measures in a non-production environment is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-46538MEDIUMMicrosoft UFO Cross-Device Task Result Injection (CVSS 5.9)
- CVE-2026-49322MEDIUMPIN Recovery Vulnerability in Indian Motorcycle Scout Bobber + Tech WCM
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction