CVE-2026-9092 | THREATINT

Description

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.

PUBLISHED Reserved 2026-05-20 | Published 2026-05-28 | Updated 2026-06-01 | Assigner certcc

Problem types

CWE-290 Authentication Bypass by Spoofing

Product status

Any version

affected

References

kb.cert.org/vuls/id/780781

cve.org (CVE-2026-9092)

nvd.nist.gov (CVE-2026-9092)

Download JSON