On March 10, 2026, Microsoft disclosed CVE-2026-26127, a high-severity denial-of-service vulnerability in the Microsoft.BCL.Memory NuGet package. It can be triggered when decoding malformed Base64Url input.
Because several Duende packages depend on this package transitively, your builds may now show NuGet vulnerability warnings. We've shipped patch releases across our library stack to resolve this. Here's what you need to know.
The Vulnerability
CVE-2026-26127 is an out-of-bounds read triggered when decoding malformed Base64Url input. It carries a CVSS 3.1 score of 7.5 (High) and affects:
Microsoft.BCL.Memory9.0.0 through 9.0.13 (patched in 9.0.14)Microsoft.BCL.Memory10.0.0 through 10.0.3 (patched in 10.0.4)
For full details, see Microsoft's advisory and the GitHub Advisory Database entry.
How This Affects Duende Packages
Duende.IdentityModel, and the libraries built on top of it, pulled in the vulnerable Microsoft.BCL.Memory as a transitive dependency. If you consume any of these packages and target net8.0, net9.0, or netstandard2.0, NuGet will flag the vulnerability during restore or when you open the solution in Visual Studio, VS Code, or JetBrains Rider.
To be clear: the vulnerability is in the upstream Microsoft dependency, not in Duende code. However, we believe the right thing to do is ship patches that pull in the fix so you don't have to manage the transitive dependency yourself.
Patch Releases
We've published the following updates. Each release is a dependency-version bump only — no API changes, no behavioral changes.
| Package | Patched Version | NuGet |
|---|---|---|
| Duende.IdentityModel | 8.0.1 | NuGet |
| Duende.IdentityModel.OidcClient | 7.0.1 | NuGet |
| Duende.IdentityModel.OidcClient.Extensions | 7.0.1 | NuGet |
| Duende.AccessTokenManagement | 4.1.2 | NuGet |
| Duende.AspNetCore.Authentication.OAuth2Introspection | 7.0.1 | NuGet |
| Duende.IdentityServer | 7.4.7 | NuGet |
| Duende.BFF | 4.1.2 | NuGet |
| Duende.BFF.Blazor | 4.1.2 | NuGet |
| Duende.BFF.Blazor.Client | 4.1.2 | NuGet |
| Duende.BFF.EntityFramework | 4.1.2 | NuGet |
| Duende.BFF.Yarp | 4.1.2 | NuGet |
Note: Only the latest minor release line of each product received a patch (IdentityServer 7.4.x, BFF 4.1.x). If you are on an older minor version, use the workaround described below.
What Should You Do?
There are several things you can do to address this vulnerability in your own projects.
Option 1: Update the Duende package (recommended)
Update to the patched version listed above. This is the simplest path and pulls in the fixed transitive dependency automatically.
<PackageReference Include="Duende.IdentityServer" Version="7.4.7" />
Option 2: Pin the transitive dependency directly
If you can't update Duende packages right away, add an explicit reference to the patched Microsoft.BCL.Memory package:
<PackageReference Include="Microsoft.Bcl.Memory" Version="10.0.4" />
Use version 9.0.14 if you are on the 9.x dependency line.
Option 3: Pin Duende.IdentityModel
If you consume Duende.IdentityModel only as a transitive dependency (through another Duende or third-party package) and want a targeted fix, you can pin the package directly:
<PackageReference Include="Duende.IdentityModel" Version="8.0.1" />
Timeline
| Date | Event |
|---|---|
| March 10, 2026 | Microsoft discloses CVE-2026-26127 |
| March 12–13, 2026 | Duende ships patch releases |
Questions?
If you have questions or run into issues updating, reach out through our GitHub Community or other support channels.