PT-2026-57253 · Zitadel · Zitadel

Publicado

2026-07-10

·

Atualizado

2026-07-10

·

CVE-2026-56665

CVSS v3.1

4.2

Média

VetorAV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.

Correção

Insufficient Session Expiration

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-56665

Produtos afetados

Zitadel