CVE-2026-4349

Name of the Vulnerable Software and Affected Versions Duende IdentityServer version 4

Description A security issue exists in Duende IdentityServer 4 related to improper authentication. Manipulation of the id token hint argument within an unknown function of the /connect/authorize file in the Token Renewal Endpoint component can lead to unauthorized access. The attack can be initiated remotely and is considered to have high complexity with difficult exploitability. The vendor was contacted regarding this issue but did not respond.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.