JWT Misconfiguration in ZITADEL Identity Management Platform
CVE-2026-55669
4.2MEDIUM
What is CVE-2026-55669?
ZITADEL is an open source identity management platform that previously lacked proper audience claim validation in its external JWT Identity Provider. This oversight meant that a validly signed JWT token from a trustworthy issuer could be accepted for a different relying party, exposing the system to potential security risks. Users are urged to upgrade to versions 3.4.12 and 4.15.2, which address this vulnerability by ensuring that the audience (aud) claim is also validated, enhancing the overall integrity of token-based authentication.
Affected Version(s)
zitadel >= 4.0.0-rc.1, < 4.15.2 < 4.0.0-rc.1, 4.15.2
zitadel < 3.4.12 < 3.4.12
