Description
An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after login
References (4)
Core 4
Core References
Various Sources
http://casdoor.com
Various Sources
https://gist.github.com/DevHjz/e75cea851d48e5f5478ac2a90757851a
Release Notes
https://github.com/casdoor/casdoor/releases/tag/v2.63.0
Scores
CVSS v3
7.2
EPSS
0.0009
EPSS Percentile
24.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-285
Status
published
Products (1)
casdoor/casdoor
0 - 2.63.0Go
Published
Oct 08, 2025
Tracked Since
Feb 18, 2026