CVE-2026-4349 in IdentityServer4
Summary
by MITRE • 03/18/2026
A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. This vulnerability only affects products that are no longer supported by the maintainer.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-4349 resides within Duende IdentityServer4 version 4.1.2 and earlier, specifically targeting the token renewal endpoint functionality. This represents a critical authentication flaw that undermines the security posture of systems relying on this identity management solution. The vulnerability manifests through improper handling of the id_token_hint parameter within the /connect/authorize endpoint, creating a pathway for unauthorized authentication attempts that could compromise user sessions and access controls. The affected component operates as part of the OpenID Connect authorization flow, making it a core element in identity verification processes.
The technical flaw stems from inadequate input validation and parameter manipulation within the token renewal endpoint. When an attacker supplies a crafted id_token_hint argument, the system fails to properly validate or sanitize this input before processing it within the authentication flow. This improper handling creates a condition where malicious actors can manipulate the authentication state, potentially bypassing legitimate authentication mechanisms. The vulnerability follows the pattern described by CWE-20, which encompasses improper input validation, and aligns with ATT&CK technique T1566.001 for credential harvesting through phishing. The complexity of exploitation requires significant technical knowledge and access to the system, as indicated by the difficulty rating in the exploitability assessment.
The operational impact of this vulnerability extends beyond simple authentication bypasses, potentially enabling session hijacking, privilege escalation, and unauthorized access to protected resources. Systems utilizing unsupported versions of Duende IdentityServer4 become particularly vulnerable as they lack security patches and updates that would address this flaw. The remote attack vector means that adversaries can exploit this weakness from external networks without requiring physical access to the target infrastructure. This creates a significant risk for organizations that have not migrated to supported versions of the software, leaving their identity management systems exposed to potential compromise.
Mitigation strategies should prioritize immediate migration to supported versions of Duende IdentityServer4 where this vulnerability has been addressed through proper input validation and parameter sanitization. Organizations should implement network segmentation and access controls to limit exposure of the affected endpoint while planning for software upgrades. Security monitoring should be enhanced to detect anomalous authentication patterns and unusual id_token_hint parameter usage that might indicate exploitation attempts. The vulnerability's classification as affecting unsupported products emphasizes the importance of maintaining current software versions and following vendor security advisories. Additionally, organizations should conduct thorough security assessments of their identity infrastructure to identify other potential vulnerabilities that may exist in legacy systems and ensure proper patch management processes are in place to prevent similar issues in the future.