Token Validation Vulnerability in ZITADEL Identity Management Platform
CVE-2026-56665

4.2MEDIUM

Key Information:

Vendor

Zitadel

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56665?

ZITADEL, an open-source identity management platform, has a vulnerability affecting versions prior to 3.4.12 and 4.15.2. The issue arises from the external JWT Identity Provider validation, where expiration handling is skipped if an incoming token lacks the 'exp' claim. This flaw can lead to trusted tokens being erroneously accepted as valid indefinitely, posing a significant security risk. It is crucial for users to upgrade to versions 3.4.12 or 4.15.2 to mitigate this vulnerability.

Affected Version(s)

zitadel >= 4.0.0-rc.1, < 4.15.2 < 4.0.0-rc.1, 4.15.2

zitadel < 3.4.12 < 3.4.12

References

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.