Token Validation Flaw in ZITADEL Identity Management Platform by ZITADEL
CVE-2026-27840

4.3MEDIUM

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
26 February 2026

What is CVE-2026-27840?

ZITADEL, an open-source identity management platform, has encountered a token validation flaw in its handling of opaque OIDC access tokens formatted in v2. Earlier versions prior to 3.4.7 and 4.11.0 face limitations where truncated tokens, reduced to 80 characters, are still accepted as valid. This situation arises because the underlying architecture of ZITADEL utilizes a symmetric AES encryption for these tokens, resulting in the omission of crucial user identification data from the token payload. While the vulnerability is not considered exploitative and does not present direct risks, it raises concerns regarding data integrity and trust during authentication processes. Patches in recent versions address these issues by ensuring the user ID is correctly validated against the session data stored in the database.

Affected Version(s)

zitadel >= 4.0.0, < 4.11.0 < 4.0.0, 4.11.0

zitadel >= 3.0.0, < 3.4.7 < 3.0.0, 3.4.7

zitadel >= 2.31.0, <= 2.71.19 <= 2.31.0, 2.71.19

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v3.4.7
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v4.11.0
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.