Skip to main content

ZITADEL CVE-2026-55669

| EUVDEUVD-2026-42958 MEDIUM
Origin Validation Error (CWE-346)
2026-06-18 https://github.com/zitadel/zitadel GHSA-g5h5-m4hm-xjrr
4.2
CVSS 3.1 · Vendor: https://github.com/zitadel/zitadel
Share

Severity by source

Vendor (https://github.com/zitadel/zitadel) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.2 MEDIUM

Network-reachable endpoint, but AC:H captures the rare cross-service topology prerequisite; PR:L because attacker must be authenticated to a co-tenant service on the shared IdP.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/zitadel/zitadel).

CVSS VectorVendor: https://github.com/zitadel/zitadel

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 18, 2026 - 14:31 vuln.today
Analysis Generated
Jun 18, 2026 - 14:31 vuln.today
CVE Published
Jun 18, 2026 - 13:52 github-advisory
MEDIUM 4.2

DescriptionCVE.org

Summary

An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.

When validating JSON Web Tokens (JWTs) from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer (iss), but it fails to validate the audience (aud) claim.

As a result, any validly signed token from the trusted issuer will be accepted. An attacker who is a legitimate user of a completely separate service sharing the same enterprise Identity Provider can intercept or present their token for that service to ZITADEL, successfully authenticating as that user without authorization.

Impact

In a controlled enterprise environment where Identity Providers are explicitly managed, the operational risk is localized. Exploitation requires that an attacker already possesses a valid standard user session token from a shared, trusted issuer intended for an entirely different relying party, limiting the vector to specific, rare cross-service setups where trust boundaries overlap.

Affected Versions

Systems running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.11.0 (including RC versions)
  • 3.x: 3.0.0 through 3.4.11 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases, where a required audience can be set in the IdP configuration. Once provided, audience validation will be enforced.

Workarounds

The recommended solution is to update ZITADEL to a patched version.

If an immediate upgrade is not possible, you can mitigate the risk at the infrastructure layer:

  1. At the IdP: Ensure the external Identity Provider issues scoped tokens with highly unique, non-overlapping audience values that cannot be misconstrued by separate service deployments.
  2. At the Perimeter: Deploy a reverse proxy, API gateway, or Web Application Firewall (WAF) layer in front of ZITADEL to inspect incoming identity tokens and explicitly drop requests where the aud field does not strictly match ZITADEL's deployment target.

Questions

If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)

Credits

Thanks to Android-Login-Analysis, Jason Zhou and Pedro Giglioti for reporting this vulnerability.

AnalysisAI

Authentication bypass in ZITADEL's external JWT Identity Provider allows a legitimate user of a co-tenant service sharing the same enterprise IdP to authenticate to ZITADEL using a token issued for a different relying party. Affected versions span ZITADEL 3.0.0-3.4.11 and 4.0.0-4.11.0; the flaw arises because ZITADEL correctly validates the JWT cryptographic signature and iss claim but entirely omits validation of the aud claim, violating RFC 7519 audience binding semantics. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to separate co-tenant service on shared enterprise IdP
Delivery
Obtain valid unexpired JWT scoped to that service
Exploit
Identify ZITADEL deployment using same trusted issuer
Execution
Submit cross-service JWT to ZITADEL JWT IdP endpoint
Persist
ZITADEL validates signature and iss, skips aud check
Impact
Gain unauthorized authenticated session as victim identity in ZITADEL

Vulnerability AssessmentAI

Exploitation The external JWT Identity Provider feature in ZITADEL must be configured and in active use - this is a non-default integration requiring an administrator to have explicitly set up a JWT IdP pointing to a trusted external issuer. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N yields a score of 4.2, which accurately reflects the constrained real-world risk: while the flaw is network-reachable, the high attack complexity (AC:H) captures the rare cross-service topology prerequisite, and PR:L reflects that the attacker must already be an authenticated user of another service on the shared IdP. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who is a legitimate authenticated employee using an internal HR portal that shares a corporate Identity Provider with a ZITADEL instance obtains their own valid, unexpired JWT issued for the HR portal. The attacker presents this token directly to ZITADEL's JWT IdP authentication endpoint; ZITADEL validates the cryptographic signature and confirms the trusted issuer matches, but never checks that the `aud` claim identifies ZITADEL as the intended recipient, so it authenticates the attacker as that employee within ZITADEL and grants them the corresponding role-based access. …
Remediation Vendor-released patches are available: upgrade ZITADEL 3.x deployments to version 3.4.12 or later (https://github.com/zitadel/zitadel/releases/tag/v3.4.12) and ZITADEL 4.x deployments to version 4.15.2 or later (https://github.com/zitadel/zitadel/releases/tag/v4.15.2). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy