Cyber Resilience

CVE-2026-9092

CriticalUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0032 23.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-9092 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a…

more

EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability enables account takeover by bypassing email verification during identity provider binding, allowing use of compromised/valid accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Casdoor
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References