प्लेटफ़ॉर्म
dotnet
घटक
duende.identityserver
में ठीक किया गया
4.1.1
4.1.2
4.1.3
CVE-2026-4349 affects Duende IdentityServer4 versions 4.1.0 through 4.1.2. This vulnerability involves improper authentication due to manipulation of the idtokenhint argument within the /connect/authorize endpoint. Successful exploitation could allow an attacker to gain unauthorized access. While the product is no longer actively maintained, mitigation strategies are available.
The core impact of CVE-2026-4349 lies in the potential for unauthorized authentication. An attacker who can control or influence the idtokenhint parameter can potentially bypass authentication checks and gain access to protected resources. This could lead to account takeover, data breaches, or other malicious activities. The high complexity requirement suggests that exploitation is not trivial and likely requires a deep understanding of the IdentityServer4 architecture and the authentication flow. The fact that this product is no longer supported significantly increases the risk, as security updates and patches are unlikely to be released.
CVE-2026-4349 was publicly disclosed on 2026-03-17. The vulnerability's complexity suggests that widespread exploitation is unlikely, but the lack of vendor support elevates the risk. No public proof-of-concept (PoC) exploits have been observed as of the disclosure date, but the potential for exploitation remains due to the vulnerability's nature and the product's unsupported status. It is not listed on the CISA KEV catalog.
Organizations relying on Duende IdentityServer4 versions 4.1.0–4.1.2, particularly those with critical data or sensitive applications protected by this identity provider, are at significant risk. Legacy systems or applications that have not been updated to newer identity management solutions are especially vulnerable.
• .NET / IdentityServer4: Monitor logs for unusual authentication requests targeting the /connect/authorize endpoint, specifically those containing suspicious values in the idtokenhint parameter.
• .NET / IdentityServer4: Use a WAF to block requests with malformed or excessively long idtokenhint values.
• .NET / IdentityServer4: Review application code for any custom handling of the idtokenhint parameter that might be vulnerable to manipulation.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.07% (21% शतमक)
CISA SSVC
CVSS वेक्टर
Due to the product's end-of-life status, direct patching is unavailable. The primary mitigation strategy is to migrate away from Duende IdentityServer4 to a supported alternative. If migration is not immediately feasible, consider implementing stricter input validation on the idtokenhint parameter to prevent malicious manipulation. Web Application Firewalls (WAFs) can be configured to filter suspicious requests targeting the /connect/authorize endpoint. Thoroughly review and restrict access to the IdentityServer4 instance to minimize the potential blast radius.
Duende IdentityServer4 के संगत संस्करण में अपडेट करें जिसने इस भेद्यता (vulnerability) को ठीक किया है। चूंकि प्रभावित संस्करण अब समर्थित नहीं हैं, इसलिए एक नए और समर्थित संस्करण में माइग्रेट करने पर विचार करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-4349 is a MEDIUM severity vulnerability in Duende IdentityServer4 versions 4.1.0–4.1.2 that allows manipulation of the idtokenhint parameter to bypass authentication.
You are affected if you are using Duende IdentityServer4 versions 4.1.0 through 4.1.2. Due to the product's end-of-life status, upgrading is strongly recommended.
Due to the product's end-of-life, a direct patch is unavailable. Migrate to a supported identity management solution. Implement input validation and WAF rules as temporary mitigations.
No active exploitation has been confirmed as of the disclosure date, but the lack of vendor support increases the risk.
Refer to the Duende IdentityServer4 project's repository and associated documentation for information regarding this vulnerability.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी packages.lock.json फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।