Skip to main content

ZITADEL CVE-2026-56668

| EUVDEUVD-2026-42967 HIGH
Missing Authorization (CWE-862)
2026-07-10 GitHub_M
8.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable token endpoint (AV:N/AC:L); a valid low-scope token is required so PR:L not PR:N; escalation yields high confidentiality and integrity impact but no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 19:01 EUVD
Analysis Generated
Jul 10, 2026 - 18:22 vuln.today
CVE Published
Jul 10, 2026 - 17:46 cve.org
HIGH 8.1

DescriptionCVE.org

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3.

AnalysisAI

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 token to exchange it for elevated permissions at a different application, because the token-exchange endpoint fails to bind the subject token to the requesting client and does not constrain requested scopes to the original token's scopes. Any authenticated principal with a valid low-scope token can escalate laterally across relying applications; no public exploit is identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege OAuth2 token
Delivery
Craft token-exchange request with elevated scopes
Exploit
Endpoint skips ownership and scope checks
Execution
Receive elevated token for another application
Impact
Access unauthorized application permissions

Vulnerability AssessmentAI

Exploitation Exploitation requires the ZITADEL OAuth2 Token Exchange endpoint (grant type urn:ietf:params:oauth:grant-type:token-exchange) to be reachable and enabled, and the attacker must already hold a valid low-privilege token issued by the target ZITADEL instance (PR:L / authenticated). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.1 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N - network-reachable, low attack complexity, only low privileges required (a valid low-scope token), no user interaction, high confidentiality and integrity impact, no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains any low-privilege OAuth2 token from a vulnerable ZITADEL instance - for example a limited token for a low-value application - sends a token-exchange request presenting that token as the subject while requesting broader scopes or a token for a higher-value application. Because ZITADEL does not verify token ownership or scope containment, it returns an elevated token granting access the attacker was never authorized for. …
Remediation Vendor-released patch: upgrade ZITADEL to version 4.15.3 or later, which restores the missing checks so the token-exchange endpoint verifies the subject token belongs to the requesting client and confines requested scopes to the original token's scopes (release: https://github.com/zitadel/zitadel/releases/tag/v4.15.3; advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-vrh8-c9cm-wh8v). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Enumerate all ZITADEL deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-49753 CRITICAL POC
9.1 Oct 25

Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot

CVE-2023-49097 HIGH POC
8.8 Nov 30

ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2026-29191 CRITICAL
9.3 Mar 07

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p

CVE-2025-27507 CRITICAL
9.0 Mar 04

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2024-49757 MEDIUM POC
4.9 Oct 25

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2022-36051 HIGH
8.8 Aug 31

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the

CVE-2025-31123 HIGH
8.7 Mar 31

Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2024-29891 HIGH
8.7 Mar 27

ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi

CVE-2026-29193 HIGH
8.2 Mar 07

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

CVE-2026-29067 HIGH
8.1 Mar 07

ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For

CVE-2024-32868 HIGH
8.1 Apr 26

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM

CVE-2025-46815 HIGH
8.0 May 06

The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API

Share

CVE-2026-56668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy