平台
dotnet
组件
duende.identityserver
修复版本
4.1.1
4.1.2
4.1.3
CVE-2026-4349 affects Duende IdentityServer4 versions 4.1.0 through 4.1.2. This vulnerability involves improper authentication due to manipulation of the idtokenhint argument within the /connect/authorize endpoint. Successful exploitation could allow an attacker to gain unauthorized access. While the product is no longer actively maintained, mitigation strategies are available.
The core impact of CVE-2026-4349 lies in the potential for unauthorized authentication. An attacker who can control or influence the idtokenhint parameter can potentially bypass authentication checks and gain access to protected resources. This could lead to account takeover, data breaches, or other malicious activities. The high complexity requirement suggests that exploitation is not trivial and likely requires a deep understanding of the IdentityServer4 architecture and the authentication flow. The fact that this product is no longer supported significantly increases the risk, as security updates and patches are unlikely to be released.
CVE-2026-4349 was publicly disclosed on 2026-03-17. The vulnerability's complexity suggests that widespread exploitation is unlikely, but the lack of vendor support elevates the risk. No public proof-of-concept (PoC) exploits have been observed as of the disclosure date, but the potential for exploitation remains due to the vulnerability's nature and the product's unsupported status. It is not listed on the CISA KEV catalog.
Organizations relying on Duende IdentityServer4 versions 4.1.0–4.1.2, particularly those with critical data or sensitive applications protected by this identity provider, are at significant risk. Legacy systems or applications that have not been updated to newer identity management solutions are especially vulnerable.
• .NET / IdentityServer4: Monitor logs for unusual authentication requests targeting the /connect/authorize endpoint, specifically those containing suspicious values in the idtokenhint parameter.
• .NET / IdentityServer4: Use a WAF to block requests with malformed or excessively long idtokenhint values.
• .NET / IdentityServer4: Review application code for any custom handling of the idtokenhint parameter that might be vulnerable to manipulation.
disclosure
漏洞利用状态
EPSS
0.07% (21% 百分位)
CISA SSVC
CVSS 向量
Due to the product's end-of-life status, direct patching is unavailable. The primary mitigation strategy is to migrate away from Duende IdentityServer4 to a supported alternative. If migration is not immediately feasible, consider implementing stricter input validation on the idtokenhint parameter to prevent malicious manipulation. Web Application Firewalls (WAFs) can be configured to filter suspicious requests targeting the /connect/authorize endpoint. Thoroughly review and restrict access to the IdentityServer4 instance to minimize the potential blast radius.
升级到已修复此漏洞的 Duende IdentityServer4 兼容版本。由于受影响的版本已不再支持,请考虑迁移到更新且受支持的版本。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4349 is a MEDIUM severity vulnerability in Duende IdentityServer4 versions 4.1.0–4.1.2 that allows manipulation of the idtokenhint parameter to bypass authentication.
You are affected if you are using Duende IdentityServer4 versions 4.1.0 through 4.1.2. Due to the product's end-of-life status, upgrading is strongly recommended.
Due to the product's end-of-life, a direct patch is unavailable. Migrate to a supported identity management solution. Implement input validation and WAF rules as temporary mitigations.
No active exploitation has been confirmed as of the disclosure date, but the lack of vendor support increases the risk.
Refer to the Duende IdentityServer4 project's repository and associated documentation for information regarding this vulnerability.
上传你的 packages.lock.json 文件,立即知道是否受影响。