HIGH 7.5

CVE-2026-9096: Casdoor SAML Assertion Time Validation Bypass (HIGH)

Casdoor, an open-source identity and access management platform, fails to validate SAML assertion expiration times in versions 2.362.0 and earlier. While the underlying gosaml2 library correctly computes whether SAML assertions have expired or are not yet valid, Casdoor discards these timing checks before granting user sessions. This means an attacker could replay or reuse expired SAML assertions to gain unauthorized access, bypassing a critical security boundary in federated authentication.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Casdoor's ParseSamlResponse() function, which processes SAML responses from identity providers. The gosaml2 library validates SAML assertion timestamps—specifically the NotOnOrAfter and NotBefore attributes—and reports results in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads or acts upon this field before issuing a user session. This creates a logic gap where time-bound assertions lose their temporal constraints, allowing indefinite reuse of otherwise expired credentials within the SAML flow.

Business impact

Organizations using Casdoor for SAML-based single sign-on face a significant authentication bypass risk. Attackers who obtain a valid SAML assertion—through interception, social engineering, or compromise of a relying party—can reuse it indefinitely rather than only during its intended validity window. This undermines the security model of federated identity, potentially allowing unauthorized access to applications and services relying on Casdoor for authentication, especially in multi-tenant or high-security environments where assertion lifetime is a key control.

Affected systems

Casdoor versions 2.362.0 and earlier are affected. Any deployment using Casdoor as a SAML service provider to authenticate users against upstream identity providers, or as a SAML identity provider issuing assertions to downstream applications, may be vulnerable depending on how assertions are generated and consumed. The scope depends on your Casdoor deployment architecture and integration patterns.

Exploitability

Exploitation requires an attacker to obtain a valid SAML assertion from a legitimate authentication flow—either by network interception, social engineering a user to share it, or compromising a relying party. Once obtained, the assertion can be replayed indefinitely without time-based rejection. The attack requires no authentication privileges, no user interaction beyond normal SAML login, and works over the network, making it relatively straightforward in environments where assertion capture is possible. However, successful exploitation depends on the attacker's ability to inject the expired assertion into a Casdoor authentication context.

Remediation

Upgrade Casdoor to a patched version that enforces SAML assertion time bounds by reading and validating the WarningInfo field before session issuance. Verify the exact patched version against the official Casdoor release notes and security advisories. Until a patch is applied, monitor for suspicious SAML assertion reuse patterns and consider additional network-level controls or assertion encryption to reduce the risk of interception and replay.

Patch guidance

Check the official Casdoor GitHub repository and release notes for versions after 2.362.0 that address SAML time validation. Apply the latest patched release and test your SAML flows in a staging environment to confirm that assertions now expire correctly. If you are a Casdoor operator managing upgrades, prioritize this in your patch schedule given the network-exploitable nature of the flaw.

Detection guidance

Look for SAML assertions being accepted in your Casdoor logs after their NotOnOrAfter timestamp has passed, or logs showing repeated use of the same assertion ID across multiple sessions. Enable detailed SAML debugging in Casdoor if available, and correlate authentication events with assertion timestamps. Intrusion detection systems should flag repeated replayed SAML assertions from the same source IP or user session. Review access logs for applications consuming Casdoor SAML assertions around the time assertions should have expired.

Why prioritize this

This vulnerability merits urgent patching because it directly undermines federated authentication—a foundational security mechanism in modern identity infrastructure. The flaw is a classic case of a security library doing its job correctly while the consuming application ignores the result, creating a logic error that is both high-impact and network-accessible. Organizations with SAML-dependent workflows should treat this as a critical remediation candidate.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects the network accessibility (AV:N), low attack complexity (AC:L), and lack of authentication requirement (PR:N), combined with high availability impact (A:H) from potential session hijacking. The score does not separately account for integrity impact, but in practice, unauthorized access via assertion replay constitutes both confidentiality and integrity compromise of the application being accessed.

Frequently asked questions

How would an attacker actually obtain a SAML assertion to replay?

Attackers can intercept SAML assertions through network eavesdropping (if TLS is misconfigured), phishing users for authentication credentials that generate assertions, compromising a relying party to extract assertions from its logs or memory, or social engineering. Once any valid assertion is obtained, its reusability is indefinite under this vulnerability.

Does this affect Casdoor as a SAML identity provider, a consumer of SAML, or both?

The vulnerability is in ParseSamlResponse(), which processes incoming SAML responses. This means Casdoor acting as a relying party (consuming SAML from an upstream IdP) is directly affected. The impact on Casdoor as an IdP issuing SAML depends on whether downstream applications trust Casdoor's time validation—they should reject expired assertions themselves, but a misconfigured consumer might not.

What should I do if I cannot patch immediately?

Implement compensating controls: enforce TLS with certificate pinning to reduce assertion interception risk, monitor for suspicious assertion reuse patterns in logs, consider adding an additional authentication factor for high-value transactions, and consult your SAML provider about assertion encryption or short validity windows.

Is this vulnerability actively being exploited in the wild?

This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the published date, but absence from KEV does not mean attacks are not occurring. Given the straightforward nature of assertion replay, proactive patching is recommended regardless of current threat intelligence.

This analysis is based on the published CVE record and does not constitute professional security advice. Verify all version numbers, patch availability, and compatibility with your specific Casdoor deployment against official vendor documentation and release notes. Organizations should perform their own risk assessment and testing before deploying patches to production systems. SEC.co makes no warranty regarding the accuracy, completeness, or fitness of this information for any particular purpose. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).