Intel

AIKIDO-2026-871761

Microsoft.Identity.Web is vulnerable to Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

43

Medium Risk

This Affects:

DOTNETMicrosoft.Identity.Web
4.6.0 - 4.8.0
Fixed in 4.9.0
Are you affected? Scan for Free

TL;DR

The Blazor-generated POST /logout endpoint now requires authentication and enforces antiforgery protection (removing the prior antiforgery opt-out), mitigating CSRF/logout-forgery risks.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

Microsoft.Identity.Web is vulnerable to Cross-Site Request Forgery (CSRF) in versions 4.6.0 - 4.8.0.

How to fix this

Upgrade the Microsoft.Identity.Web library to the patch version.