CVE-2025-26620: Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens

February 19, 2025

Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other protocol parameters. Such usage is somewhat atypical, and only a small percentage of users are likely to be affected.

References

github.com/DuendeSoftware/foss
github.com/DuendeSoftware/foss/commit/a33332ddec0ebf3c048ba85427e3c77d47c68dac
github.com/DuendeSoftware/foss/security/advisories/GHSA-qxj7-2x7w-3mpp
github.com/advisories/GHSA-qxj7-2x7w-3mpp
nvd.nist.gov/vuln/detail/CVE-2025-26620

Detect and mitigate CVE-2025-26620 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →