JWT Misconfiguration in ZITADEL Identity Management Platform
CVE-2026-55669

4.2MEDIUM

Key Information:

Vendor

Zitadel

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55669?

ZITADEL is an open source identity management platform that previously lacked proper audience claim validation in its external JWT Identity Provider. This oversight meant that a validly signed JWT token from a trustworthy issuer could be accepted for a different relying party, exposing the system to potential security risks. Users are urged to upgrade to versions 3.4.12 and 4.15.2, which address this vulnerability by ensuring that the audience (aud) claim is also validated, enhancing the overall integrity of token-based authentication.

Affected Version(s)

zitadel >= 4.0.0-rc.1, < 4.15.2 < 4.0.0-rc.1, 4.15.2

zitadel < 3.4.12 < 3.4.12

References

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.