CVE-2025-26620

Name of the Vulnerable Software and Affected Versions: Duende.AccessTokenManagement (affected versions not specified)

Description: Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other protocol parameters. This issue is somewhat atypical and only a small percentage of users are likely to be affected. The impact of this issue depends on how Duende.AccessTokenManagement is used and on the security architecture of the solution. Most users will not be vulnerable to this issue, but more advanced users may run into this issue by calling specific methods with customized token request parameters, such as HttpContext.GetClientAccessTokenAsync() and IClientCredentialsTokenManagementService.GetAccessTokenAsync(). The impact of obtaining an access token with different than intended protocol parameters will vary depending on application logic, security architecture, and the authorization policy of the resource servers.

Recommendations: To resolve the issue, most users can simply update the NuGet package to the latest version. For customizations of the IClientCredentialsTokenCache that derive from the default implementation (DistributedClientCredentialsTokenCache), a small code change is required, as its constructor was changed to add a dependency on the ITokenRequestSynchronization service. The synchronization service will need to be injected into the derived class and passed to the base constructor. As a temporary workaround, consider disabling the GetClientAccessTokenAsync() and GetAccessTokenAsync() functions until a patch is available. Restrict access to the TokenRequestParameters object to minimize the risk of exploitation.