Security Advisory

CVE-2026-9091

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-05-28 16:19:39

Last updated 2026-05-28 16:19:39

Assigner certcc

State PUBLISHED

Description

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.

← Browse all CVEs View on cve.org ↗