GHSA-7QJX-GP9H-65QJ: Improper Authorization in Dex Token Exchange
Vulnerability ID: GHSA-7QJX-GP9H-65QJ
CVSS Score: 8.7
Published: 2026-06-09
An improper authorization vulnerability in the unreleased development master branch of Dex allows clients to bypass the AllowedConnectors access control list using the token-exchange endpoint.
TL;DR
Dex token-exchange endpoint fails to validate AllowedConnectors, allowing attackers with a compromised client secret to escalate privileges via unauthorized identity providers.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-285
- Attack Vector: Network
- CVSS v3.1: 8.7 (High)
- Impact: Privilege Escalation
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- Dex (OIDC & OAuth 2.0 Provider) Development builds on Master branch
-
Dex: Master branch (>= f80a89d and < 204dbb2e3ff7) (Fixed in:
Master branch commit 204dbb2e3ff7692af3b7ca4362b1ee46fb43c227)
Code Analysis
Commit: 204dbb2
Fix token-exchange AllowedConnectors authorization bypass
Exploit Details
- GitHub Security Advisory: Advisory documenting the missing validation logic and detailing manual verification.
Mitigation Strategies
- Upgrade to master branch head containing commit 204dbb2e3ff7692af3b7ca4362b1ee46fb43c227 or stick to stable tagged releases.
- Regularly rotate client secrets to minimize exposure risks.
- Implement Web Application Firewall (WAF) rules to filter or drop token exchange requests if the feature is not strictly required.
Remediation Steps:
- Identify if your Dex instance runs a development build based on the master branch post-March 2026.
- Apply the code patch by rebuilding Dex with commit 204dbb2e3ff7692af3b7ca4362b1ee46fb43c227 or migrating back to stable release v2.45.1.
- Validate client configurations and revoke compromised client secrets immediately.
References
Read the full report for GHSA-7QJX-GP9H-65QJ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)