Identity Management Platform Vulnerability in ZITADEL by ZITADEL
CVE-2026-56664
4.2MEDIUM
What is CVE-2026-56664?
ZITADEL, an open source identity management platform, has a significant vulnerability affecting its external JWT Identity Provider. This issue stems from the platform's failure to enforce token age freshness checks when incoming tokens lack the 'iat' claim. As a result, older tokens from trusted issuers can bypass authentication, potentially allowing unauthorized access. This vulnerability has been addressed in ZITADEL versions 3.4.12 and 4.15.2, emphasizing the need for users to update their systems to mitigate the risk.
Affected Version(s)
zitadel >= 4.0.0-rc.1, < 4.15.2 < 4.0.0-rc.1, 4.15.2
zitadel < 3.4.12 < 3.4.12
