CVE-2026-9091 - Vulnerability Details

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://kb.cert.org/vuls/id/780781

History

Thu, 28 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.
Title		CVE-2026-9091
References		https://kb.cert.org/vuls/id/780781

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-05-28T16:19:39.239Z

Updated: 2026-05-28T16:19:39.239Z

Reserved: 2026-05-20T15:04:03.933Z

Link: CVE-2026-9091

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-28T17:16:33.953

Modified: 2026-05-28T18:00:22.543

Link: CVE-2026-9091

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object