Browse all 4 CVE security advisories affecting DuendeSoftware. AI-powered Chinese analysis, POCs, and references for each vulnerability.
DuendeSoftware develops identity and access management solutions, primarily serving applications requiring secure authentication and authorization. Historically, their products have been susceptible to remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from improper input validation and access control flaws. While no major public security incidents have been widely documented, the four CVEs on record highlight recurring issues in authentication mechanisms and API security. Their security posture typically emphasizes rapid patching for identified vulnerabilities, though the persistence of similar flaw types suggests potential challenges in addressing underlying design weaknesses in their access control implementations.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-26620 | Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens — fossCWE-367 | 5.9 | - | 2025-02-18 |
| CVE-2024-51987 | HTTP Client uses incorrect token after refresh in Duende.AccessTokenManagement.OpenIdConnect — Duende.AccessTokenManagementCWE-270 | 5.4 | Medium | 2024-11-07 |
| CVE-2024-49755 | Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs — IdentityServerCWE-287 | 3.1 | Low | 2024-10-28 |
| CVE-2024-39694 | Duende IdentityServer Open Redirect vulnerability — IdentityServerCWE-601 | 4.7 | Medium | 2024-07-31 |
This page lists every published CVE security advisory associated with DuendeSoftware. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.