MEDIUM 5.3
GHSA-gv4m-v8c8-hr3g
Casdoor allows users to bypass configured MFA requirements
Details
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/casdoor/casdoor
Introduced in:
0 No fixed version published yet for github.com/casdoor/casdoor (go modules). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-9091 [ADVISORY]
- https://github.com/casdoor/casdoor [PACKAGE]
- https://kb.cert.org/vuls/id/780781 [WEB]