| Title | DuendeSoftware Identity Server 4 Authentication Bypass Issues |
|---|
| Description | During our tests, it was identified that the token renewal endpoint accepts the id_token_hint parameter even after the token expires. This allows a silent session renewal request to be reused to generate new valid tokens without the need for re-authentication.
For exploitation, a legitimate authentication was initially performed on the application. Then, a silent renewal request sent to the endpoint was intercepted:
GET /connect/authorize
The request contained the parameters prompt=none and id_token_hint=<JWT>, responsible for renewing the user's session.
After waiting for the token expiration time (exp), the same request was resent without any modification using an interception tool (e.g., Burp Suite Repeater).
Even with the expired id_token_hint, the server returned a new valid id_token and access_token, demonstrating that the system does not correctly validate the token expiration before issuing new tokens.
This behavior allows an attacker who captures a single renewal request to re-execute it indefinitely, maintaining access to the victim's account without needing credentials or MFA. |
|---|
| Source | ⚠️ http://localhost/connect/authorize/callback?client_id= |
|---|
| User | Edcarlos (UID 53778) |
|---|
| Submission | 03/05/2026 05:04 (2 months ago) |
|---|
| Moderation | 03/17/2026 18:03 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 351380 [Duende IdentityServer4 up to 4.1.2 Token Renewal Endpoint /connect/authorize id_token_hint improper authentication] |
|---|
| Points | 20 |
|---|