OAuth2 and OIDC Flaw in ZITADEL Identity Management Platform
CVE-2026-55672
7.4HIGH
What is CVE-2026-55672?
ZITADEL's identity management platform is compromised due to flaws in its OAuth2 and OpenID Connect (OIDC) token flows. Specifically, the system fails to ensure that the requesting client matches the client that initiated the authorization flow. This oversight allows for the possibility of intercepted grants or refresh tokens being exchanged under a different client, resulting in unauthorized access. The issue has been resolved in versions 3.4.12 and 4.15.2, which implement enhanced verification measures to secure the token exchange process.
Affected Version(s)
zitadel >= 4.0.0-rc.1, < 4.15.2 < 4.0.0-rc.1, 4.15.2
zitadel < 3.4.12 < 3.4.12
