Platform
dotnet
Component
duende.identityserver
Fixed in
4.1.1
4.1.2
4.1.3
CVE-2026-4349 affects Duende IdentityServer4 versions 4.1.0 through 4.1.2. This vulnerability involves improper authentication due to manipulation of the idtokenhint argument within the /connect/authorize endpoint. Successful exploitation could allow an attacker to gain unauthorized access. While the product is no longer actively maintained, mitigation strategies are available.
The core impact of CVE-2026-4349 lies in the potential for unauthorized authentication. An attacker who can control or influence the idtokenhint parameter can potentially bypass authentication checks and gain access to protected resources. This could lead to account takeover, data breaches, or other malicious activities. The high complexity requirement suggests that exploitation is not trivial and likely requires a deep understanding of the IdentityServer4 architecture and the authentication flow. The fact that this product is no longer supported significantly increases the risk, as security updates and patches are unlikely to be released.
CVE-2026-4349 was publicly disclosed on 2026-03-17. The vulnerability's complexity suggests that widespread exploitation is unlikely, but the lack of vendor support elevates the risk. No public proof-of-concept (PoC) exploits have been observed as of the disclosure date, but the potential for exploitation remains due to the vulnerability's nature and the product's unsupported status. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
Due to the product's end-of-life status, direct patching is unavailable. The primary mitigation strategy is to migrate away from Duende IdentityServer4 to a supported alternative. If migration is not immediately feasible, consider implementing stricter input validation on the idtokenhint parameter to prevent malicious manipulation. Web Application Firewalls (WAFs) can be configured to filter suspicious requests targeting the /connect/authorize endpoint. Thoroughly review and restrict access to the IdentityServer4 instance to minimize the potential blast radius.
Update to a compatible version of Duende IdentityServer4 that has resolved this vulnerability. Since the affected versions are no longer supported, consider migrating to a more recent and supported version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4349 is a MEDIUM severity vulnerability in Duende IdentityServer4 versions 4.1.0–4.1.2 that allows manipulation of the idtokenhint parameter to bypass authentication.
You are affected if you are using Duende IdentityServer4 versions 4.1.0 through 4.1.2. Due to the product's end-of-life status, upgrading is strongly recommended.
Due to the product's end-of-life, a direct patch is unavailable. Migrate to a supported identity management solution. Implement input validation and WAF rules as temporary mitigations.
No active exploitation has been confirmed as of the disclosure date, but the lack of vendor support increases the risk.
Refer to the Duende IdentityServer4 project's repository and associated documentation for information regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.