Wiz
Vulnerability DatabaseCVE-2025-26620

CVE-2025-26620
C# vulnerability analysis and mitigation

Overview

Duende.AccessTokenManagement, a set of .NET libraries that manage OAuth and OpenId Connect access tokens, contains a race condition vulnerability (CVE-2025-26620) discovered in February 2025. The vulnerability affects versions 3.1.1 and earlier, where concurrent requests to obtain an access token using the client credentials flow with differing protocol parameters can return access tokens obtained with incorrect scope, resource indicator, or other protocol parameters (GitHub Advisory).

Technical details

The vulnerability occurs when using specific overloads of methods HttpContext.GetClientAccessTokenAsync() and IClientCredentialsTokenManagementService.GetAccessTokenAsync() that accept a TokenRequestParameters object for customizing token request parameters. When concurrent requests are made with varying TokenRequestParameters, the race condition causes the same token to be returned for all concurrent calls, regardless of the different parameters specified (GitHub Advisory). The vulnerability has been assigned a CVSS v4.0 base score of 6.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N (NVD).

Impact

The impact varies depending on how Duende.AccessTokenManagement is used and the security architecture of the solution. While most users are not vulnerable to this issue, advanced users who call the affected methods with customized token request parameters may receive tokens with incorrect scopes or parameters. The severity of obtaining an access token with different than intended protocol parameters depends on application logic, security architecture, and the authorization policy of the resource servers (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in version 3.2.0. Most users can simply update the NuGet package to the latest version. For users with customizations of the IClientCredentialsTokenCache that derive from the default implementation (DistributedClientCredentialsTokenCache), a small code change is required. The constructor was changed to add a dependency on the ITokenRequestSynchronization service, which needs to be injected into the derived class and passed to the base constructor (GitHub Advisory).

Community reactions

The vulnerability was responsibly disclosed by Michael Dimoudis of PageUp, leading to a coordinated response and patch release (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related C# vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-64095CRITICAL9.8
  • C#C#
  • DNN.PLATFORM
NoYesOct 28, 2025
CVE-2025-62594MEDIUM5.5
  • C#C#
  • Magick.NET-Q8-OpenMP-arm64
NoYesOct 27, 2025
CVE-2025-64094MEDIUM5.4
  • C#C#
  • DotNetNuke.Core
NoYesOct 28, 2025
CVE-2025-65955MEDIUM4.9
  • C#C#
  • Magick.NET-Q8-arm64
NoYesDec 02, 2025
CVE-2025-62802MEDIUM4.3
  • C#C#
  • Dnn.Platform
NoYesOct 28, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo