Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Requires external JWT IdP configured and token without iat from trusted issuer (AC:H, PR:L); limited C/I impact bounded by token scope; no availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.
AnalysisAI
Insufficient session expiration in ZITADEL's external JWT Identity Provider allows arbitrarily old tokens from trusted issuers to pass authentication when the token omits the iat (issued-at) claim. ZITADEL versions prior to 3.4.12 (v3 branch) and 4.15.2 (v4 branch) are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the target ZITADEL instance must be configured with at least one external JWT Identity Provider - this is not enabled in default ZITADEL deployments; (2) the external JWT issuer must produce, or the attacker must be able to obtain, a token that omits the iat claim; (3) the attacker must possess a JWT that is validly signed by the trusted issuer (PR:L - prior credential acquisition from the issuer is required). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.2 (Medium) reflects a constrained attack profile: AC:H indicates that exploitation requires specific environmental conditions beyond attacker control, and PR:L confirms that some level of prior credential or token acquisition from the trusted issuer is necessary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who previously authenticated through an external JWT Identity Provider integrated with ZITADEL retains a JWT token that was issued without the iat claim - either because the external issuer does not include it or because the attacker crafted a token signed by a key they control under a trusted issuer identity. The attacker submits this token to ZITADEL's JWT IdP validation endpoint; because iat is absent, the freshness check is skipped and the token is accepted regardless of its actual age, granting the attacker continued authenticated access well past the intended session expiry. |
| Remediation | Upgrade to ZITADEL v3.4.12 (v3 branch) or v4.15.2 (v4 branch), both confirmed by vendor release tags at https://github.com/zitadel/zitadel/releases/tag/v3.4.12 and https://github.com/zitadel/zitadel/releases/tag/v4.15.2, with underlying fixes in commits 4925fab849d39a88674485d937b79e54318b48a8 and d1c3aa84af8fcb0f33910ada30b866f4afb551ac. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot
ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the
Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely
ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke
ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42962