Cyber Resilience

CVE-2026-9097

CriticalUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 32.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-9097 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Access Token (T1550.001); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether…

more

the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

Missing revocation check in JWT token exchange directly allows continued use of compromised/invalidated application access tokens.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Casdoor
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References