CVE-2026-4349

MEDIUM

Duende IdentityServer Token Renewal Endpoint authorize improper authentication

Title source: cna

Description

A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. This vulnerability only affects products that are no longer supported by the maintainer.

References (3)

[Vdb Entry, Technical Description] https://vuldb.com/?id.351380

[Signature, Permissions Required] https://vuldb.com/?ctiid.351380

[Third Party Advisory] https://vuldb.com/?submit.772071

Scores

CVSS v3 5.6

EPSS 0.0003

EPSS Percentile 8.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-287

Status published

Products (4)

Duende/IdentityServer 4

Duende/IdentityServer4 4.1.0

Duende/IdentityServer4 4.1.1

Duende/IdentityServer4 4.1.2

Published Mar 17, 2026

Tracked Since Mar 18, 2026