CVE-2026-27840

Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.31.0 through 3.4.6 ZITADEL versions 2.31.0 through 4.10.9

Description ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are considered valid. Zitadel uses symmetric AES encryption for opaque tokens, and the cleartext payload includes a token ID and user ID. Version 2 tokens distinguish the token ID as v2 <oidc session id>-at <access token id>. When tokens are truncated, the user id is missing from the cleartext. The back-end still accepts these truncated tokens because it relies on session data from the database for user identification in v2 tokens. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the user id from the token against the session data in the database.

Recommendations ZITADEL versions 2.31.0 through 3.4.6: Upgrade to version 3.4.7 or later. ZITADEL versions 2.31.0 through 4.10.9: Upgrade to version 4.11.0 or later.