Description
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
References (1)
Core 1
Core References
Scores
EPSS
0.0002
EPSS Percentile
4.5%
Details
Status
published
Products (1)
Casdoor/Casdoor
< 2.362.0
Published
May 28, 2026
Tracked Since
May 28, 2026