PT-2026-57252 · Zitadel · Zitadel
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-56664
CVSS v3.1
4.2
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zitadel