CVE-2026-56664
MEDIUM
NVD
CVSS Score
4.2
Severity
MEDIUM
Published
Jul 10, 2026
Vendor
unknown
Description
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.
References
- https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8
- https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac
- https://github.com/zitadel/zitadel/releases/tag/v3.4.12
- https://github.com/zitadel/zitadel/releases/tag/v4.15.2
- https://github.com/zitadel/zitadel/security/advisories/GHSA-wxg7-w2v3-w38g