PT-2026-57253 · Zitadel · Zitadel

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-56665

CVSS v3.1

4.2

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56665

Affected Products

Zitadel