Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
AC:H reflects the dual prerequisite of an active JWT IdP configuration and a token lacking exp; PR:L reflects required standing in the federated identity flow; C:L/I:L for session persistence abuse with no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.
AnalysisAI
Insufficient JWT expiration enforcement in ZITADEL's external JWT Identity Provider integration allows tokens lacking the exp claim to be treated as indefinitely valid, bypassing intended session lifetime controls. Versions 3.0.0-rc.1 through 3.4.11 and 4.0.0-rc.1 through 4.15.1 are affected, with the flaw residing in internal/idp/providers/jwt/session.go. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that ZITADEL's external JWT Identity Provider integration is actively configured with at least one trusted external issuer - this feature is not enabled by default and must be explicitly set up by an administrator. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.2 (Medium) with vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N reflects a network-accessible vulnerability requiring high attack complexity and low-privilege access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to a trusted external identity provider (or the ability to influence tokens it issues) crafts a JWT that includes all required claims except `exp` and presents it to a ZITADEL instance configured to trust that issuer. Because ZITADEL's JWT IdP session handler skips expiration enforcement when `exp` is absent, the token is accepted as perpetually valid, granting the attacker a persistent authenticated session that survives indefinitely without requiring re-issuance or refresh. … |
| Remediation | Upgrade to ZITADEL v3.4.12 (https://github.com/zitadel/zitadel/releases/tag/v3.4.12) or v4.15.2 (https://github.com/zitadel/zitadel/releases/tag/v4.15.2), which contain the upstream fixes in commits 4925fab849d39a88674485d937b79e54318b48a8 and d1c3aa84af8fcb0f33910ada30b866f4afb551ac respectively. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot
ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the
Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely
ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke
ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42963