29 matches found
EUVD-2026-12659
A vulnerability was determined in Duende IdentityServer 4. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument idtokenhint causes improper authentication. It is possible to initiate the attack...
CVE-2026-4349
A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument idtokenhint causes improper authentication. It is possible to initiate the...
CVE-2026-4349 Duende IdentityServer4 Token Renewal Endpoint authorize improper authentication
A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument idtokenhint causes improper authentication. It is possible to initiate the...
CVE-2026-4349 Duende IdentityServer4 Token Renewal Endpoint authorize improper authentication
A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument idtokenhint causes improper authentication. It is possible to initiate the...
CVE-2026-4349
A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument idtokenhint causes improper authentication. It is possible to initiate the...
CVE-2026-4349
CVE-2026-4349 affects Duende IdentityServer 4; vulnerable component is the Token Renewal Endpoint under /connect/authorize, where manipulation of the id_token_hint argument leads to improper authentication. The issue is described as remote-exploitable with high attack complexity, but the provided...
Duende IdentityServer 授权问题漏洞
Duende IdentityServer is an open-source framework developed by Duende for ASP.NET Core, which adheres to standard OpenID Connect and OAuth 2.x protocols. Duende IdentityServer has a vulnerability related to authorization. This vulnerability stems from incorrect handling of the parameter idtokenhi...
PT-2026-25949
A vulnerability was determined in Duende IdentityServer 4. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id token hint causes improper authentication. It is possible to initiate the attack...
EUVD-2024-3141
Malicious code in bioql PyPI...
EUVD-2024-2334
Malicious code in bioql PyPI...
CVE-2024-49755
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
CVE-2024-39694
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it t...
Leaked Token Reuse Attack
Duende IdentityServer is vulnerable to Leaked Token Reuse Attack. The vulnerability is due to insufficient validation of the cnf claim in DPoP access tokens by the LocalApiAuthenticationHandler. It allows attackers to misuse leaked tokens without requiring the private key needed for signing proof...
CVE-2024-49755
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
CVE-2024-49755
Duende IdentityServer (ASP.NET Core) Local API authentication handler improperly validates the cnf claim in DPoP access tokens. This lets an attacker use leaked DPoP tokens at local API endpoints without the private key, affecting only endpoints explicitly using LocalApiAuthenticationHandler for ...
CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Impact IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only...
Duende IdentityServer 授权问题漏洞
Duende IdentityServer is a Duende open source, standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core. An authorization issue vulnerability exists in Duende IdentityServer version 7.0.0 and earlier, which stems from insufficient validation performed by the local API...