Security Advisory

CVE-2026-9093

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-05-28 16:21:50
Last updated 2026-05-28 16:21:50
Assigner certcc
State PUBLISHED

Description

In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.