cvedb.io
CVE-2026-9091
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2026-05-28T17:16:33.953 · Last modified 2026-06-17T11:04:48.930

Summary

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.