GHSA-7qjx-gp9h-65qj: Dex: Token-exchange endpoint is missing AllowedConnectors enforcement

June 9, 2026

server/handlers.go::handleTokenExchange (lines 1804-1893) does not call isConnectorAllowed(client.AllowedConnectors, connID) before issuing tokens, while sibling handlers do. This is a per-client connector ACL gap on the token-exchange endpoint; the redirect-flow paths enforce the same field correctly.

References

github.com/advisories/GHSA-7qjx-gp9h-65qj
github.com/dexidp/dex/commit/204dbb2e3ff7692af3b7ca4362b1ee46fb43c227
github.com/dexidp/dex/security/advisories/GHSA-7qjx-gp9h-65qj

Code Behaviors & Features

Detect and mitigate GHSA-7qjx-gp9h-65qj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →