Description
A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-03-17
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper authentication via manipulated id_token_hint
Action: Upgrade
AI Analysis

Impact

A flaw in Duende IdentityServer4 allows an attacker to supply a crafted id_token_hint to the /connect/authorize token renewal endpoint, resulting in improper authentication. The vulnerability can lead an attacker to obtain authenticated sessions or elevated privileges under the guise of a legitimate user, potentially compromising user data and application security. It is a moderate severity issue with a CVSS base score of 6.3.

Affected Systems

Duende IdentityServer4 versions up to and including 4.1.2 are affected. Systems running these unsupported releases are at risk; no specific downstream products are listed.

Risk and Exploitability

The attack can be launched remotely, with high complexity and described as difficult to exploit. EPSS is below 1 %, indicating a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. However, because the affected software is no longer supported, any exploitation would go unpatched unless the vendor releases an update.

Generated by OpenCVE AI on March 25, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Duende IdentityServer4 to a supported, patched version newer than 4.1.2
  • If an upgrade is not feasible, disable or restrict the /connect/authorize token renewal endpoint to trusted clients only
  • Monitor authentication logs for suspicious id_token_hint usage to detect potential exploitation attempts
  • Regularly check the vendor’s security advisories for updates or additional mitigations

Generated by OpenCVE AI on March 25, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Duende IdentityServer 4. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way. A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. This vulnerability only affects products that are no longer supported by the maintainer.
Title Duende IdentityServer Token Renewal Endpoint authorize improper authentication Duende IdentityServer4 Token Renewal Endpoint authorize improper authentication

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Duende
Duende identityserver
Vendors & Products Duende
Duende identityserver

Tue, 17 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Duende IdentityServer 4. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Title Duende IdentityServer Token Renewal Endpoint authorize improper authentication
Weaknesses CWE-287
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:ND'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Duende Identityserver
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-25T10:56:05.955Z

Reserved: 2026-03-17T17:03:17.392Z

Link: CVE-2026-4349

cve-icon Vulnrichment

Updated: 2026-03-18T19:59:06.949Z

cve-icon NVD

Status : Deferred

Published: 2026-03-17T22:16:15.407

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-4349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:44:28Z

Weaknesses