GHSA-3w4h-g9f5-j84pCriticalCVSS 9.8

Casdoor does not validate the AudienceRestriction element in SAML assertions

Published
May 28, 2026
Last Modified
July 2, 2026

🔗 CVE IDs covered (1)

📋 Description

In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.

🎯 Affected products1

  • go/github.com/casdoor/casdoor:<= 1.1000.1-0.20260321120606-239e8bd69487

🔗 References (3)