CVE-2026-9094: Casdoor: GetTokenExchangeToken bypass through lack of cross-organization JWT signature check

Severity: Critical

CVSS Score: 9.8

Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.