CVE-2026-5469: Casdoor vulnerable to SSRF via crafted Webhook URL

April 3, 2026 (updated April 10, 2026)

A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/advisories/GHSA-p8c7-hjc4-gwf8
github.com/casdoor/casdoor
nvd.nist.gov/vuln/detail/CVE-2026-5469
vuldb.com/submit/781771
vuldb.com/vuln/355073
vuldb.com/vuln/355073/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-5469 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →