Identity Management Platform Vulnerability in ZITADEL by ZITADEL
CVE-2026-56664

4.2MEDIUM

Key Information:

Vendor

Zitadel

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56664?

ZITADEL, an open source identity management platform, has a significant vulnerability affecting its external JWT Identity Provider. This issue stems from the platform's failure to enforce token age freshness checks when incoming tokens lack the 'iat' claim. As a result, older tokens from trusted issuers can bypass authentication, potentially allowing unauthorized access. This vulnerability has been addressed in ZITADEL versions 3.4.12 and 4.15.2, emphasizing the need for users to update their systems to mitigate the risk.

Affected Version(s)

zitadel >= 4.0.0-rc.1, < 4.15.2 < 4.0.0-rc.1, 4.15.2

zitadel < 3.4.12 < 3.4.12

References

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.