What is CVE-2026-4349?

CVE-2026-4349 is a medium-severity vulnerability in Duende Identityserver4, classified under Improper Authentication. CVSS score: 5.6/10. Published 2026-03-17.

How severe is CVE-2026-4349?

Medium severity. CVSS v3 base score is 5.6 out of 10.

Auth bypass in Duende Identityserver4

CVE-2026-4349

A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint cause…

Vulnerability class: Broken Authentication

EPSS: 0.000 (6.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.6 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X.

Affected products

Duende Identityserver4 — versions 4.1.0, 4.1.1, 4.1.2

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

VDB-351380 | Duende IdentityServer4 Token Renewal Endpoint authorize improper authentication (vdb-entry, technical-description)
VDB-351380 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
Submit #772071 | DuendeSoftware Identity Server 4 Authentication Bypass Issues (third-party-advisory)

Frequently asked questions

What is CVE-2026-4349?: CVE-2026-4349 is a medium-severity vulnerability in Duende Identityserver4, classified under Improper Authentication. CVSS score: 5.6/10. Published 2026-03-17.
How severe is CVE-2026-4349?: Medium severity. CVSS v3 base score is 5.6 out of 10.