CRITICAL 9.8
GHSA-3w4h-g9f5-j84p
Casdoor does not validate the AudienceRestriction element in SAML assertions
Details
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/casdoor/casdoor
Introduced in:
0 No fixed version published yet for github.com/casdoor/casdoor (go modules). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-9093 [ADVISORY]
- https://github.com/casdoor/casdoor [PACKAGE]
- https://kb.cert.org/vuls/id/780781 [WEB]