A critical security alert highlights vulnerabilities in the Casdoor identity and access management system, affecting versions 2.362.0 and earlier. Key vulnerabilities include: 1) CVE-2026-9090, where attackers exploit a flaw in SAML certificate verification to bypass login; 2) CVE-2026-9091, which allows bypassing multi-factor authentication checks; 3) CVE-2026-9094 and CVE-2026-9097, enabling privilege escalation across organizations via token-exchange flaws.
There are no official patches available, prompting administrators to implement manual security workarounds such as stricter identity governance controls and monitoring system logs for unusual activity.