Token Validation Vulnerability in ZITADEL Identity Management Platform
CVE-2026-56665
4.2MEDIUM
What is CVE-2026-56665?
ZITADEL, an open-source identity management platform, has a vulnerability affecting versions prior to 3.4.12 and 4.15.2. The issue arises from the external JWT Identity Provider validation, where expiration handling is skipped if an incoming token lacks the 'exp' claim. This flaw can lead to trusted tokens being erroneously accepted as valid indefinitely, posing a significant security risk. It is crucial for users to upgrade to versions 3.4.12 or 4.15.2 to mitigate this vulnerability.
Affected Version(s)
zitadel >= 4.0.0-rc.1, < 4.15.2 < 4.0.0-rc.1, 4.15.2
zitadel < 3.4.12 < 3.4.12
