7 matches found
Race Condition
Duende.AccessTokenManagement is vulnerable to a Race condition. The vulnerability is due to improper synchronization in access token retrieval, allowing an attacker to obtain a token with incorrect scopes or resource indicators, potentially leading to unauthorized access...
GHSA-QXJ7-2X7W-3MPP Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2024-51987
Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captur...
CVE-2024-51987
The CVE-2024-51987 issue affects Duende.AccessTokenManagement.OpenIdConnect, where HTTP clients created via AddUserAccessTokenHttpClient could emit a refreshed token associated with another user due to token capture in pooled HttpClient instances. Technical details across sources confirm the vuln...
CVE-2024-51987 HTTP Client uses incorrect token after refresh in Duende.AccessTokenManagement.OpenIdConnect
Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captur...