PT-2026-57252 · Zitadel · Zitadel

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-56664

CVSS v3.1

4.2

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56664

Affected Products

Zitadel