Skip to main content

ZITADEL EUVDEUVD-2026-42962

| CVE-2026-56664 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-07-10 GitHub_M
4.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.2 MEDIUM

Requires external JWT IdP configured and token without iat from trusted issuer (AC:H, PR:L); limited C/I impact bounded by token scope; no availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 19:01 EUVD
Analysis Generated
Jul 10, 2026 - 18:39 vuln.today

DescriptionCVE.org

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.

AnalysisAI

Insufficient session expiration in ZITADEL's external JWT Identity Provider allows arbitrarily old tokens from trusted issuers to pass authentication when the token omits the iat (issued-at) claim. ZITADEL versions prior to 3.4.12 (v3 branch) and 4.15.2 (v4 branch) are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify ZITADEL instance using external JWT IdP
Delivery
Acquire or retain JWT from trusted issuer lacking iat claim
Exploit
Submit iat-less token to ZITADEL authentication endpoint
Execution
Freshness check skipped due to absent iat
Persist
Token accepted despite exceeding maximum age
Impact
Maintain access beyond intended session lifetime

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the target ZITADEL instance must be configured with at least one external JWT Identity Provider - this is not enabled in default ZITADEL deployments; (2) the external JWT issuer must produce, or the attacker must be able to obtain, a token that omits the iat claim; (3) the attacker must possess a JWT that is validly signed by the trusted issuer (PR:L - prior credential acquisition from the issuer is required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.2 (Medium) reflects a constrained attack profile: AC:H indicates that exploitation requires specific environmental conditions beyond attacker control, and PR:L confirms that some level of prior credential or token acquisition from the trusted issuer is necessary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who previously authenticated through an external JWT Identity Provider integrated with ZITADEL retains a JWT token that was issued without the iat claim - either because the external issuer does not include it or because the attacker crafted a token signed by a key they control under a trusted issuer identity. The attacker submits this token to ZITADEL's JWT IdP validation endpoint; because iat is absent, the freshness check is skipped and the token is accepted regardless of its actual age, granting the attacker continued authenticated access well past the intended session expiry.
Remediation Upgrade to ZITADEL v3.4.12 (v3 branch) or v4.15.2 (v4 branch), both confirmed by vendor release tags at https://github.com/zitadel/zitadel/releases/tag/v3.4.12 and https://github.com/zitadel/zitadel/releases/tag/v4.15.2, with underlying fixes in commits 4925fab849d39a88674485d937b79e54318b48a8 and d1c3aa84af8fcb0f33910ada30b866f4afb551ac. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-49753 CRITICAL POC
9.1 Oct 25

Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot

CVE-2023-49097 HIGH POC
8.8 Nov 30

ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2026-29191 CRITICAL
9.3 Mar 07

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p

CVE-2025-27507 CRITICAL
9.0 Mar 04

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2024-49757 MEDIUM POC
4.9 Oct 25

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2022-36051 HIGH
8.8 Aug 31

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the

CVE-2025-31123 HIGH
8.7 Mar 31

Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2024-29891 HIGH
8.7 Mar 27

ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi

CVE-2026-29193 HIGH
8.2 Mar 07

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

CVE-2026-56668 HIGH
8.1 Jul 10

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke

CVE-2026-29067 HIGH
8.1 Mar 07

ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For

CVE-2024-32868 HIGH
8.1 Apr 26

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM

Share

EUVD-2026-42962 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy